aboutsummaryrefslogtreecommitdiff
path: root/gn3/auth/authorisation/users/admin/views.py
blob: c9f18875630d53f9b18db257af7db49fa3f99b80 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
"""UI for admin stuff"""
import uuid
import json
import random
import string
from functools import partial
from datetime import datetime, timezone, timedelta

from email_validator import validate_email, EmailNotValidError
from flask import (
    flash,
    request,
    url_for,
    redirect,
    Blueprint,
    current_app,
    render_template)


from gn3 import session
from gn3.auth import db
from gn3.auth.db_utils import with_db_connection

from gn3.auth.authentication.oauth2.models.oauth2client import (
    save_client,
    OAuth2Client,
    oauth2_clients,
    client as oauth2_client,
    delete_client as _delete_client)
from gn3.auth.authentication.users import (
    User,
    user_by_id,
    valid_login,
    user_by_email,
    hash_password)

from .ui import is_admin

admin = Blueprint("admin", __name__)

@admin.before_request
def update_expires():
    """Update session expiration."""
    if session.session_info() and not session.update_expiry():
        flash("Session has expired. Logging out...", "alert-warning")
        session.clear_session_info()
        return redirect(url_for("oauth2.admin.login"))
    return None

@admin.route("/dashboard", methods=["GET"])
@is_admin
def dashboard():
    """Admin dashboard."""
    return render_template("admin/dashboard.html")

@admin.route("/login", methods=["GET", "POST"])
def login():
    """Log in to GN3 directly without OAuth2 client."""
    if request.method == "GET":
        return render_template(
            "admin/login.html",
            next_uri=request.args.get("next", "oauth2.admin.dashboard"))

    form = request.form
    next_uri = form.get("next_uri", "oauth2.admin.dashboard")
    error_message = "Invalid email or password provided."
    login_page = redirect(url_for("oauth2.admin.login", next=next_uri))
    try:
        email = validate_email(form.get("email", "").strip(),
                               check_deliverability=False)
        password = form.get("password")
        with db.connection(current_app.config["AUTH_DB"]) as conn:
            user = user_by_email(conn, email["email"])
            if valid_login(conn, user, password):
                session.update_session_info(
                    user=user._asdict(),
                    expires=(
                        datetime.now(tz=timezone.utc) + timedelta(minutes=10)))
                return redirect(url_for(next_uri))
            flash(error_message, "alert-danger")
            return login_page
    except EmailNotValidError as _enve:
        flash(error_message, "alert-danger")
        return login_page

@admin.route("/logout", methods=["GET"])
def logout():
    """Log out the admin."""
    if not session.session_info():
        flash("Not logged in.", "alert-info")
        return redirect(url_for("oauth2.admin.login"))
    session.clear_session_info()
    flash("Logged out", "alert-success")
    return redirect(url_for("oauth2.admin.login"))

def random_string(length: int = 64) -> str:
    """Generate a random string."""
    return "".join(
        random.choice(string.ascii_letters + string.digits + string.punctuation)
        for _idx in range(0, length))

def __response_types__(grant_types: tuple[str, ...]) -> tuple[str, ...]:
    """Compute response types from grant types."""
    resps = {
        "password": ("token",),
        "authorization_code": ("token", "code"),
        "refresh_token": ("token",)
    }
    return tuple(set(
        resp_typ for types_list
        in (types for grant, types in resps.items() if grant in grant_types)
        for resp_typ in types_list))

@admin.route("/register-client", methods=["GET", "POST"])
@is_admin
def register_client():
    """Register an OAuth2 client."""
    def __list_users__(conn):
        with db.cursor(conn) as cursor:
            cursor.execute("SELECT * FROM users")
            return tuple(
                User(uuid.UUID(row["user_id"]), row["email"], row["name"])
                for row in cursor.fetchall())
    if request.method == "GET":
        return render_template(
            "admin/register-client.html",
            scope=current_app.config["OAUTH2_SCOPE"],
            users=with_db_connection(__list_users__),
            current_user=session.session_user())

    form = request.form
    raw_client_secret = random_string()
    default_redirect_uri = form["redirect_uri"]
    grant_types = form.getlist("grants[]")
    client = OAuth2Client(
        client_id = uuid.uuid4(),
        client_secret = hash_password(raw_client_secret),
        client_id_issued_at = datetime.now(tz=timezone.utc),
        client_secret_expires_at = datetime.fromtimestamp(0),
        client_metadata = {
            "client_name": "GN2 Dev Server",
            "token_endpoint_auth_method": [
                "client_secret_post", "client_secret_basic"],
            "client_type": "confidential",
            "grant_types": ["password", "authorization_code", "refresh_token"],
            "default_redirect_uri": default_redirect_uri,
            "redirect_uris": [default_redirect_uri] + form.get("other_redirect_uri", "").split(),
            "response_type": __response_types__(tuple(grant_types)),
            "scope": form.getlist("scope[]")
        },
        user = with_db_connection(partial(
            user_by_id, user_id=uuid.UUID(form["user"])))
    )
    client = with_db_connection(partial(save_client, the_client=client))
    return render_template(
        "admin/registered-client.html",
        client=client,
        client_secret = raw_client_secret)

def __parse_client__(sqlite3_row) -> dict:
    """Parse the client details into python datatypes."""
    return {
        **dict(sqlite3_row),
        "client_metadata": json.loads(sqlite3_row["client_metadata"])
    }

@admin.route("/list-client", methods=["GET"])
@is_admin
def list_clients():
    """List all registered OAuth2 clients."""
    return render_template(
        "admin/list-oauth2-clients.html",
        clients=with_db_connection(oauth2_clients))

@admin.route("/view-client/<uuid:client_id>", methods=["GET"])
@is_admin
def view_client(client_id: uuid.UUID):
    """View details of OAuth2 client with given `client_id`."""
    return render_template(
        "admin/view-oauth2-client.html",
        client=with_db_connection(partial(oauth2_client, client_id=client_id)),
        scope=current_app.config["OAUTH2_SCOPE"])

@admin.route("/edit-client", methods=["POST"])
@is_admin
def edit_client():
    """Edit the details of the given client."""
    form = request.form
    the_client = with_db_connection(partial(
        oauth2_client, client_id=uuid.UUID(form["client_id"])))
    if the_client.is_nothing():
        flash("No such client.", "alert-danger")
        return redirect(url_for("oauth2.admin.list_clients"))
    the_client = the_client.value
    client_metadata = {
        **the_client.client_metadata,
        "default_redirect_uri": form["default_redirect_uri"],
        "redirect_uris": list(set(
            [form["default_redirect_uri"]] +
            form["other_redirect_uris"].split("\r\n"))),
        "grants": form.getlist("grants[]"),
        "scope": form.getlist("scope[]")
    }
    with_db_connection(partial(save_client, the_client=OAuth2Client(
        the_client.client_id,
        the_client.client_secret,
        the_client.client_id_issued_at,
        the_client.client_secret_expires_at,
        client_metadata,
        the_client.user)))
    flash("Client updated.", "alert-success")
    return redirect(url_for("oauth2.admin.view_client",
                            client_id=the_client.client_id))

@admin.route("/delete-client", methods=["POST"])
@is_admin
def delete_client():
    """Delete the details of the client."""
    form = request.form
    the_client = with_db_connection(partial(
        oauth2_client, client_id=uuid.UUID(form["client_id"])))
    if the_client.is_nothing():
        flash("No such client.", "alert-danger")
        return redirect(url_for("oauth2.admin.list_clients"))
    the_client = the_client.value
    with_db_connection(partial(_delete_client, client=the_client))
    flash((f"Client '{the_client.client_metadata.client_name}' was deleted "
           "successfully."),
          "alert-success")
    return redirect(url_for("oauth2.admin.list_clients"))