ó O'—^c@sGddlmZddlZddlZddlZddlZddlmZddlm Z ddl m Z ddl m Z ddlmZdd lmZdd lmZmZmZmZmZdd lmZejd ƒZiejfd 6ejfd6ejfd6ejejejfd6Zdefd„ƒYZ dS(iÿÿÿÿ(tunicode_literalsN(t timedelta(ttimezone(t authenticate(tObjectDoesNotExist(tRequestValidatori(t unquote_plus(tGrantt AccessTokent RefreshTokentget_application_modeltAbstractApplication(toauth2_settingsuoauth2_provideruauthorization_codeupassworduclient_credentialsu refresh_tokentOAuth2ValidatorcBsàeZd„Zd„Zd„Zd„Zd„Zd„Zd„Zd„Z d„Z d „Z d „Z d „Z d „Zd „Zd„Zd„Zd„Zd„Zd„Zd„Zd„Zd„Zd„Zd„ZRS(cCsg|jjddƒ}|sdS|jddƒ}t|ƒdkrGdS|\}}|dkrcdS|S(uk Return authentication string if request contains basic auth credentials, else return None uHTTP_AUTHORIZATIONu iiuBasicN(theaderstgettNonetsplittlen(tselftrequesttauthtsplittedt auth_typet auth_string((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pyt_extract_basic_auths  cCs]|j|ƒ}|stSy |j}Wntk r?d}nXt|tjƒrd|j|ƒ}nytj |ƒ}Wn+t t j fk r¤t jd|ƒtSXy|j|ƒ}Wn%tk rßt jd||ƒtSXtt|jddƒƒ\}}|j||ƒdkr.t jd|ƒtS|jj|krUt jd|ƒtStSdS( uÏ Authenticates with HTTP Basic Auth. Note: as stated in rfc:`2.3.1`, client_id and client_secret must be encoded with "application/x-www-form-urlencoded" encoding algorithm. uutf-8u0Failed basic auth: %s can't be decoded as base64u7Failed basic auth: %s can't be decoded as unicode by %su:iu0Failed basic auth: Application %s does not existu)Failed basic auth: wrong client secret %sN(RtFalsetencodingtAttributeErrort isinstancetsixt string_typestencodetbase64t b64decodet TypeErrortbinasciitErrortlogtdebugtdecodetUnicodeDecodeErrortmapRRt_load_applicationRtclientt client_secrettTrue(RRRRt b64_decodedtauth_string_decodedt client_idR-((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pyt_authenticate_basic_auth0s:     !cCs‡y|j}|j}Wntk r*tSX|j||ƒdkrXtjd|ƒtS|jj|krtjd|ƒtSt SdS(u9 Try to authenticate the client using client_id and client_secret parameters included in body. Remember that this method is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme. See rfc:`2.3.1` for more details. u0Failed body auth: Application %s does not existsu(Failed body auth: wrong client secret %sN( R1R-RRR+RR&R'R,R.(RRR1R-((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pyt_authenticate_request_body^s    cCs}t|dƒstdƒ‚tƒ}y,|jpB|jjd|ƒ|_|jSWn&|jk rxtjd|ƒdSXdS(u… If request.client was not set, load application instance for given client_id and store it in request.client uclientu,'request' instance has no 'client' attributeR1u9Failed body authentication: Application %s does not existN( thasattrtAssertionErrorR R,tobjectsRt DoesNotExistR&R'R(RR1Rt Application((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pyR+vs ! cOs™|j|ƒrtSy|jr,|jr,tSWntk rMtjdƒnX|j|j|ƒ|jr}|jj t j kSt t |ƒj|||ŽS(uh Determine if the client has to be authenticated This method is called only for grant types that supports client authentication: * Authorization code grant * Resource owner password grant * Refresh token grant If the request contains authorization headers, always authenticate the client no matter the grant type. If the request does not contain authorization headers, proceed with authentication only if the client is of type `Confidential`. If something goes wrong, call oauthlib implementation of the method. u\Client id or client secret not provided, proceed evaluating if authentication is required...(RR.R1R-RR&R'R+R,t client_typeR tCLIENT_CONFIDENTIALtsuperR tclient_authentication_required(RRtargstkwargs((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pyR<‡s   cOs+|j|ƒ}|s'|j|ƒ}n|S(uà Check if client exists and it's authenticating itself as in rfc:`3.2.1` First we try to authenticate with HTTP Basic Auth, and that is the PREFERRED authentication method. Whether this fails we support including the client credentials in the request-body, but this method is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme. See rfc:`2.3.1` for more details (R2R3(RRR=R>t authenticated((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytauthenticate_client©s cOsL|j||ƒdk rHtjd||jjfƒ|jjtjkStS(uð If we are here, the client did not authenticate itself as in rfc:`3.2.1` and we can proceed only if the client exists and it's not of type 'Confidential'. Also assign Application instance to request.client. uApplication %s has type %sN( R+RR&R'R,R9R R:R(RR1RR=R>((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytauthenticate_client_idºscOs(tjjd|d|ƒ}|j|ƒS(uc Ensure the redirect_uri is listed in the Application instance redirect_uris field tcodet application(RR6Rtredirect_uri_allowed(RR1RBt redirect_uriR,R=R>tgrant((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytconfirm_redirect_uriÅscOs,tjjd|d|jƒ}|jƒdS(uQ Remove the temporary grant used to swap the authorization token RBRCN(RR6RR,tdelete(RR1RBRR=R>RF((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytinvalidate_authorization_codeÌscOs|j||ƒdk S(u{ Ensure an Application exists with given client_id. If it exists, it's assigned to request.client. N(R+R(RR1RR=R>((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytvalidate_client_idÓscOs |jjS(N(R,tdefault_redirect_uri(RR1RR=R>((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytget_default_redirect_uriÚscCsŒ|s tSyftjjddƒjd|ƒ}|j|ƒrk|j|_|j|_||_ ||_ t StSWntj k r‡tSXdS(uX When users try to access resources, check that provided token is valid u applicationuuserttokenN( RRR6tselect_relatedRtis_validRCR,tusertscopest access_tokenR.R7(RRMRQRRR((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytvalidate_bearer_tokenÝs     cOspyTtjjd|d|ƒ}|jƒsO|jjdƒ|_|j|_tSt SWntj k rkt SXdS(NRBRCu ( RR6Rt is_expiredtscopeRRQRPR.RR7(RR1RBR,RR=R>RF((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pyt validate_codeós  cOs&|tkst‚|jjt|kS(uk Validate both grant_type is a valid string and grant_type is allowed for current workflow (tGRANT_TYPE_MAPPINGR5R,tauthorization_grant_type(RR1t grant_typeR,RR=R>((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytvalidate_grant_typeÿscOs@|dkr|jtjkS|dkr8|jtjkStSdS(u¼ We currently do not support the Authorization Endpoint Response Types registry as in rfc:`8.4`, so validate the response_type only if it matches 'code' or 'token' ucodeutokenN(RXR tGRANT_AUTHORIZATION_CODEtGRANT_IMPLICITR(RR1t response_typeR,RR=R>((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytvalidate_response_types   cOst|ƒjttjƒƒS(uZ Ensure required scopes are permitted (as specified in the settings file) (tsettissubsetR t_SCOPES(RR1RQR,RR=R>((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytvalidate_scopesscOstjS(N(R t_DEFAULT_SCOPES(RR1RR=R>((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytget_default_scopesscOs|jj|ƒS(N(R,RD(RR1RERR=R>((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytvalidate_redirect_uriscOsptjƒtdtjƒ}td|jd|jd|dd|d|jdd j |j ƒƒ}|j ƒdS( NtsecondsRCRPRBucodetexpiresRERUu ( RtnowRR t!AUTHORIZATION_CODE_EXPIRE_SECONDSRR,RPREtjoinRQtsave(RR1RBRR=R>Rgtg((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytsave_authorization_codes  "c Os|jrOy tjjd|jƒjƒWqOtjk rKdsLt‚qOXntjƒt dt j ƒ}|j dkr†d |_ntd|jd|dd|d|dd |jƒ}|jƒd |kr td|jd|d d |jd |ƒ}|jƒnt j |d RgRRRn((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytsave_bearer_token&s.              c OsË|dkrd}nitd6td6}|j|tƒ}y|jjd|ƒjƒWnltk rÆx\g|jƒD]}||krx|^qxD]+} tt d„| jj d|ƒƒƒq”WnXdS(uß Revoke an access or refresh token. :param token: The token string. :param token_type_hint: access_token or refresh_token. :param request: The HTTP Request (oauthlib.common.Request) u access_tokenu refresh_tokenRMcSs |jƒS(N(Ro(tt((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pyt`tN(u access_tokenu refresh_token( RRR RR6RoRtvaluestlistR*tfilter( RRMttoken_type_hintRR=R>t token_typest token_typet_tt other_type((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pyt revoke_tokenJs    2cOs;td|d|ƒ}|dk r7|jr7||_tStS(uS Check username and password correspond to a valid and active User tusernametpasswordN(RRt is_activeRPR.R(RR~RR,RR=R>tu((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pyt validate_userbs  cOs|j}|jjS(N(trefresh_token_instanceRRRU(RRnRR=R>trt((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytget_original_scopesls cOscyGtjjd|ƒ}|j|_|j|_||_|j|kSWntjk r^t SXdS(u„ Check refresh_token exists and refers to the right client. Also attach User instance to the request object RMN( R R6RRPRMRnRƒRCR7R(RRnR,RR=R>R„((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pytvalidate_refresh_tokenrs   (t__name__t __module__RR2R3R+R<R@RARGRIRJRLRSRVRZR^RbRdReRmRqR}R‚R…R†(((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pyR s0  .   "            $  (!t __future__RRR!R$tloggingtdatetimeRt django.utilsRtdjango.contrib.authRtdjango.core.exceptionsRtoauthlib.oauth2RtcompatRtmodelsRRR R R tsettingsR t getLoggerR&R[tGRANT_PASSWORDtGRANT_CLIENT_CREDENTIALSRWR (((sC/tmp/pip-unpacked-wheel-ndW12l/oauth2_provider/oauth2_validators.pyts(    (