Revision b699aa44
Added by Serghei Mihai over 9 years ago
ckanext/ozwillo_pyoidc/plugin.py | ||
---|---|---|
17 | 17 |
log = logging.getLogger(__name__) |
18 | 18 |
plugin_controller = 'ckanext.ozwillo_pyoidc.plugin:OpenidController' |
19 | 19 |
|
20 |
CLIENT = None |
|
20 |
_CLIENTS = {} |
|
21 |
|
|
22 |
class Clients(object): |
|
23 |
|
|
24 |
@classmethod |
|
25 |
def get(cls, g): |
|
26 |
global _CLIENTS |
|
27 |
if g.id in _CLIENTS: |
|
28 |
return _CLIENTS.get(g.id) |
|
29 |
client = cls().get_client(g) |
|
30 |
_CLIENTS.update({g.id: client}) |
|
31 |
return client |
|
32 |
|
|
33 |
def get_client(self, g): |
|
34 |
params = conf.CLIENT.copy() |
|
35 |
params['client_registration'].update({ |
|
36 |
'client_id': g._extras['client_id'].value, |
|
37 |
'client_secret': g._extras['client_secret'].value, |
|
38 |
'redirect_uris': [toolkit.url_for(host=request.host, |
|
39 |
controller=plugin_controller, |
|
40 |
action='callback', |
|
41 |
id=g.name, |
|
42 |
qualified=True)] |
|
43 |
}) |
|
44 |
return create_client(**params) |
|
45 |
|
|
21 | 46 |
|
22 | 47 |
class OzwilloPyoidcPlugin(plugins.SingletonPlugin): |
23 | 48 |
plugins.implements(plugins.IConfigurer) |
... | ... | |
49 | 74 |
toolkit.c.userobj = userobj |
50 | 75 |
|
51 | 76 |
def login(self): |
52 |
global CLIENT |
|
53 | 77 |
if 'organization_id' in session: |
54 | 78 |
g = model.Group.get(session['organization_id']) |
55 |
conf.CLIENT['client_registration'].update({ |
|
56 |
'client_id': g._extras['client_id'].value, |
|
57 |
'client_secret': g._extras['client_secret'].value, |
|
58 |
'redirect_uris': [toolkit.url_for(host=request.host, |
|
59 |
controller=plugin_controller, |
|
60 |
action='callback', |
|
61 |
id=g.name, |
|
62 |
qualified=True)] |
|
63 |
}) |
|
64 |
log.info('registration info for organization "%s" set' % g.name) |
|
65 |
CLIENT = create_client(**conf.CLIENT) |
|
66 |
url, ht_args = CLIENT.create_authn_request(session, conf.ACR_VALUES) |
|
79 |
client = Clients.get(g) |
|
80 |
url, ht_args = client.create_authn_request(session, conf.ACR_VALUES) |
|
67 | 81 |
if ht_args: |
68 | 82 |
toolkit.request.headers.update(ht_args) |
69 | 83 |
toolkit.redirect_to(url) |
... | ... | |
92 | 106 |
toolkit.redirect_to(login_url) |
93 | 107 |
|
94 | 108 |
def callback(self): |
95 |
global CLIENT
|
|
96 |
if CLIENT:
|
|
97 |
userinfo = CLIENT.callback(request.GET)
|
|
98 |
log.info('Received userinfo: %s' % userinfo)
|
|
99 |
userobj = model.User.get(userinfo['nickname'])
|
|
100 |
if userobj:
|
|
101 |
userobj.email = userinfo['email']
|
|
102 |
if 'given_name' in userinfo:
|
|
103 |
userobj.fullname = userinfo['given_name']
|
|
104 |
if 'family_name' in userinfo:
|
|
105 |
userobj.fullname += userinfo['family_name']
|
|
106 |
userobj.save()
|
|
107 |
session['user'] = userobj.id
|
|
108 |
session.save()
|
|
109 |
|
|
110 |
org_url = toolkit.url_for(host=request.host,
|
|
111 |
controller="organization",
|
|
112 |
action='read',
|
|
113 |
id=session['organization_id'],
|
|
114 |
qualified=True)
|
|
115 |
toolkit.redirect_to(org_url)
|
|
109 |
g = model.Group.get(session['organization_id'])
|
|
110 |
client = Clients.get(g)
|
|
111 |
userinfo = client.callback(request.GET)
|
|
112 |
log.info('Received userinfo: %s' % userinfo) |
|
113 |
userobj = model.User.get(userinfo['nickname']) |
|
114 |
if userobj: |
|
115 |
userobj.email = userinfo['email'] |
|
116 |
if 'given_name' in userinfo: |
|
117 |
userobj.fullname = userinfo['given_name'] |
|
118 |
if 'family_name' in userinfo: |
|
119 |
userobj.fullname += userinfo['family_name'] |
|
120 |
userobj.save() |
|
121 |
session['user'] = userobj.id |
|
122 |
session.save() |
|
123 |
|
|
124 |
org_url = toolkit.url_for(host=request.host, |
|
125 |
controller="organization", |
|
126 |
action='read', |
|
127 |
id=g.id,
|
|
128 |
qualified=True) |
|
129 |
toolkit.redirect_to(org_url) |
|
116 | 130 |
|
117 | 131 |
def slo(self): |
118 | 132 |
""" |
119 | 133 |
Revokes the delivered access token. Logs out the user |
120 | 134 |
""" |
121 |
global CLIENT |
|
122 |
logout_url = CLIENT.end_session_endpoint |
|
135 |
g = model.Group.get(session['organization_id']) |
|
136 |
client = Clients.get(g) |
|
137 |
logout_url = client.end_session_endpoint |
|
123 | 138 |
org_url = toolkit.url_for(host=request.host, |
124 | 139 |
controller='organization', |
125 | 140 |
action='read', |
... | ... | |
129 | 144 |
|
130 | 145 |
# revoke the access token |
131 | 146 |
headers = {'Content-Type': 'application/x-www-form-urlencoded'} |
132 |
data = 'token=%s&token_type_hint=access_token' % CLIENT.access_token
|
|
133 |
CLIENT.http_request(CLIENT.revocation_endpoint, 'POST',
|
|
147 |
data = 'token=%s&token_type_hint=access_token' % client.access_token
|
|
148 |
client.http_request(client.revocation_endpoint, 'POST',
|
|
134 | 149 |
data=data, headers=headers) |
135 | 150 |
|
136 | 151 |
# redirect to IDP logout |
137 |
logout_url += '?id_token_hint=%s&' % CLIENT.id_token
|
|
152 |
logout_url += '?id_token_hint=%s&' % client.id_token
|
|
138 | 153 |
logout_url += 'post_logout_redirect_uri=%s' % redirect_uri |
139 | 154 |
toolkit.redirect_to(str(logout_url)) |
Also available in: Unified diff
OIDC client computed for each organization