1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
"""UI for admin stuff"""
import uuid
import json
import random
import string
from functools import partial
from datetime import datetime, timezone, timedelta
from email_validator import validate_email, EmailNotValidError
from flask import (
flash,
request,
url_for,
redirect,
Blueprint,
current_app,
render_template)
from gn3 import session
from gn3.auth import db
from gn3.auth.db_utils import with_db_connection
from gn3.auth.authentication.oauth2.models.oauth2client import (
save_client,
OAuth2Client,
oauth2_clients)
from gn3.auth.authentication.users import (
User,
user_by_id,
valid_login,
user_by_email,
hash_password)
from .ui import is_admin
admin = Blueprint("admin", __name__)
@admin.before_request
def update_expires():
"""Update session expiration."""
if session.session_info() and not session.update_expiry():
flash("Session has expired. Logging out...", "alert-warning")
session.clear_session_info()
return redirect(url_for("oauth2.admin.login"))
return None
@admin.route("/dashboard", methods=["GET"])
@is_admin
def dashboard():
"""Admin dashboard."""
return render_template("admin/dashboard.html")
@admin.route("/login", methods=["GET", "POST"])
def login():
"""Log in to GN3 directly without OAuth2 client."""
if request.method == "GET":
return render_template(
"admin/login.html",
next_uri=request.args.get("next", "oauth2.admin.dashboard"))
form = request.form
next_uri = form.get("next_uri", "oauth2.admin.dashboard")
error_message = "Invalid email or password provided."
login_page = redirect(url_for("oauth2.admin.login", next=next_uri))
try:
email = validate_email(form.get("email", "").strip(),
check_deliverability=False)
password = form.get("password")
with db.connection(current_app.config["AUTH_DB"]) as conn:
user = user_by_email(conn, email["email"])
if valid_login(conn, user, password):
session.update_session_info(
user=user._asdict(),
expires=(
datetime.now(tz=timezone.utc) + timedelta(minutes=10)))
return redirect(url_for(next_uri))
flash(error_message, "alert-danger")
return login_page
except EmailNotValidError as _enve:
flash(error_message, "alert-danger")
return login_page
@admin.route("/logout", methods=["GET"])
def logout():
"""Log out the admin."""
if not session.session_info():
flash("Not logged in.", "alert-info")
return redirect(url_for("oauth2.admin.login"))
session.clear_session_info()
flash("Logged out", "alert-success")
return redirect(url_for("oauth2.admin.login"))
def random_string(length: int = 64) -> str:
"""Generate a random string."""
return "".join(
random.choice(string.ascii_letters + string.digits + string.punctuation)
for _idx in range(0, length))
def __response_types__(grant_types: tuple[str, ...]) -> tuple[str, ...]:
"""Compute response types from grant types."""
resps = {
"password": ("token",),
"authorization_code": ("token", "code"),
"refresh_token": ("token",)
}
return tuple(set(
resp_typ for types_list
in (types for grant, types in resps.items() if grant in grant_types)
for resp_typ in types_list))
@admin.route("/register-client", methods=["GET", "POST"])
@is_admin
def register_client():
"""Register an OAuth2 client."""
def __list_users__(conn):
with db.cursor(conn) as cursor:
cursor.execute("SELECT * FROM users")
return tuple(
User(uuid.UUID(row["user_id"]), row["email"], row["name"])
for row in cursor.fetchall())
if request.method == "GET":
return render_template(
"admin/register-client.html",
scope=current_app.config["OAUTH2_SCOPE"],
users=with_db_connection(__list_users__),
current_user=session.session_user())
form = request.form
raw_client_secret = random_string()
default_redirect_uri = form["redirect_uri"]
grant_types = form.getlist("grants[]")
client = OAuth2Client(
client_id = uuid.uuid4(),
client_secret = hash_password(raw_client_secret),
client_id_issued_at = datetime.now(tz=timezone.utc),
client_secret_expires_at = datetime.fromtimestamp(0),
client_metadata = {
"client_name": "GN2 Dev Server",
"token_endpoint_auth_method": [
"client_secret_post", "client_secret_basic"],
"client_type": "confidential",
"grant_types": ["password", "authorization_code", "refresh_token"],
"default_redirect_uri": default_redirect_uri,
"redirect_uris": [default_redirect_uri] + form.get("other_redirect_uri", "").split(),
"response_type": __response_types__(tuple(grant_types)),
"scope": form.getlist("scope[]")
},
user = with_db_connection(partial(
user_by_id, user_id=uuid.UUID(form["user"])))
)
client = with_db_connection(partial(save_client, the_client=client))
return render_template(
"admin/registered-client.html",
client=client,
client_secret = raw_client_secret)
def __parse_client__(sqlite3Row) -> dict:
"""Parse the client details into python datatypes."""
return {
**dict(sqlite3Row),
"client_metadata": json.loads(sqlite3Row["client_metadata"])
}
@admin.route("/list-client", methods=["GET"])
@is_admin
def list_clients():
"""List all registered OAuth2 clients."""
return render_template(
"admin/list-oauth2-clients.html",
clients=with_db_connection(oauth2_clients))
|
