o RDi s@snddlZddlZddlZddlZddlmZddlmZddlm Z m Z ddl m Z ddl mZddlmZmZddlmZdd lmZmZmZdd lmZdd lmZdd lmZdd lm Z ddl!m"Z"ddl#m$Z$ddl%m&Z&m'Z'ddl(m)Z)ddlm*Z*ddl+m,Z,ddl-m.Z.e/e0Z1Gdddej2Z3Gdddej2Z4Gdddej5Z6Gdddej7Z8Gddde6Z9Gd d!d!ej5Z:Gd"d#d#e:Z;Gd$d%d%ej5ZGd*d+d+e>Z?Gd,d-d-ej5Z@Gd.d/d/e@ZAd0d1ZBd2d3ZCd4d5ZDd6d7ZEd8d9ZFd:d;ZGdd?ZId@dAZJdBdCZKdDdEZLdFdGZMdHdIZNdS)JN)suppress) timedelta) parse_qslurlparse)apps)settings)identify_hasher make_password)ImproperlyConfigured)modelsrouter transaction)reverse)timezone) gettext_lazy)jwk)base64url_encode)errors)generate_client_idgenerate_client_secret)get_scopes_backend)oauth2_settings) jwk_from_pem)AllowedURIValidatorceZdZfddZZS)ClientSecretFieldc st||j}t|dd}|st||Szt|}t|d|jd|dWn"tyLt|d|jdt|}t ||j||YSwt||S)Nhash_client_secretTz: z is already hashed with .z is not hashed; hashing it now.) getattrattnamesuperpre_saverloggerdebug ValueErrorr setattr)selfmodel_instanceaddsecretshould_be_hashedhasher hashed_secret __class__O/var/www/Datamplify/venv/lib/python3.10/site-packages/oauth2_provider/models.pyr" s  " zClientSecretField.pre_save__name__ __module__ __qualname__r" __classcell__r0r0r.r1rrcr)TokenChecksumFieldcs:t|d}t|d}t||j|t||S)Ntokenzutf-8) rhashlibsha256encode hexdigestr&r r!r")r'r(r)r9checksumr.r0r1r"2s zTokenChecksumField.pre_saver2r0r0r.r1r81r7r8c@seZdZdZdZdZeedfeedffZdZdZ dZ d Z d Z eed fe ed fe ed fe edfe edffZ dZdZdZeedfeedfeedffZejddZejddeddZejejdddejdZejdeddZejdedddZejd ed!Z ejd e d!Z!e"d"de#ded#d$Z$ej%dd%Z&ejd"dd&Z'ej%d'd%Z(ej)dd(Z*ej)dd)Z+ejd*eedd+Z,ejded,ddZ-Gd-d.d.Z.d/d0Z/e0d1d2Z1d3d4Z2d5d6Z3d7d8Z4d9d:Z5d;d<Z6d=d>Z7d?d@Z8dAdBZ9e0dCdDZ:dES)FAbstractApplicationa An Application instance represents a Client on the Authorization server. Usually an Application is created manually by client's developers after logging in on an Authorization Server. Fields: * :attr:`client_id` The client identifier issued to the client during the registration process as described in :rfc:`2.2` * :attr:`user` ref to a Django user * :attr:`redirect_uris` The list of allowed redirect uri. The string consists of valid URLs separated by space * :attr:`post_logout_redirect_uris` The list of allowed redirect uris after an RP initiated logout. The string consists of valid URLs separated by space * :attr:`client_type` Client type as described in :rfc:`2.1` * :attr:`authorization_grant_type` Authorization flows available to the Application * :attr:`client_secret` Confidential secret issued to the client during the registration process as described in :rfc:`2.2` * :attr:`name` Friendly name for the Application confidentialpublic ConfidentialPubliczauthorization-codeimplicitpasswordzclient-credentialsz openid-hybridzAuthorization codeImplicitzResource owner password-basedzClient credentialszOpenID connect hybridRS256HS256zNo OIDC supportzRSA with SHA-2 256zHMAC with SHA-2 256T primary_keyd) max_lengthuniquedefaultdb_index%(app_label)s_%(class)s) related_namenullblank on_deletez"Allowed URIs list, space separated)rT help_textz.Allowed Post Logout URIs list, space separated)rTrVrO )rMchoicesz4Hashed on Save. Copy it now if this is a new secret.)rMrTrOrPrV)rO)rMrTF auto_now_addauto_now)rMrXrOrTz4Allowed origins list to enable CORS, space separatedc@eZdZdZdS)zAbstractApplication.MetaTNr3r4r5abstractr0r0r0r1MetarbcCs |jp|jSN)name client_idr'r0r0r1__str__ zAbstractApplication.__str__cCs<|jr|j}t|dkr|jdStJd)zP Returns the default redirect_uri, *if* only one is registered. rrFzIf you are using implicit, authorization_code or all-in-one grant_type, you must define redirect_uris field in your Application model) redirect_urissplitlenpoprMissingRedirectURIError)r'urisr0r0r1default_redirect_uris  z(AbstractApplication.default_redirect_uricCt||jS)z{ Checks if given url is one of the items in :attr:`redirect_uris` string :param uri: Url to check )redirect_to_uri_allowedrjrkr'urir0r0r1redirect_uri_allowedz(AbstractApplication.redirect_uri_allowedcCrq)z Checks if given URI is one of the items in :attr:`post_logout_redirect_uris` string :param uri: URI to check )rrpost_logout_redirect_urisrkrsr0r0r1 post_logout_redirect_uri_allowedrvz4AbstractApplication.post_logout_redirect_uri_allowedcCs|jo t||jS)z Checks if given origin is one of the items in :attr:`allowed_origins` string :param origin: Origin to check )allowed_originsis_origin_allowedrk)r'originr0r0r1origin_allowedsz"AbstractApplication.origin_allowedc Csddlm}tjtjtjf}tjtjf}|j}t dd| D}|r:t |dddd}|D]}||q2n|j |vrJ|t dj|j d |j}|rbt tjd }|D]}||q[|jtjkrqtjsq|t d |jtjkrt|j |v|jtjkfr|t d dSdS) Nr)ValidationErrorcss|]}|VqdSrd)lower).0sr0r0r1 sz,AbstractApplication.clean..z redirect uriT)re allow_path allow_queryz:redirect_uris cannot be empty with grant_type {grant_type}) grant_typezallowed origin6You must set OIDC_RSA_PRIVATE_KEY to use RSA algorithmz2You cannot use HS256 with public grants or clients)django.core.exceptionsr}r?GRANT_AUTHORIZATION_CODEGRANT_IMPLICITGRANT_OPENID_HYBRIDrjstriprksetget_allowed_schemesrauthorization_grant_type_formatryrALLOWED_SCHEMES algorithmRS256_ALGORITHMOIDC_RSA_PRIVATE_KEYHS256_ALGORITHMany client_type Application CLIENT_PUBLIC) r'r} grant_typeshs_forbidden_grant_typesrjallowed_schemes validatorrtryr0r0r1cleansP          zAbstractApplication.cleancCstdt|jgdS)Nzoauth2_provider:detail)args)rstrpkrgr0r0r1get_absolute_urlsz$AbstractApplication.get_absolute_urlcCstjS)z Returns the list of redirect schemes allowed by the Application. By default, returns `ALLOWED_REDIRECT_URI_SCHEMES`. )rALLOWED_REDIRECT_URI_SCHEMESrgr0r0r1rsz'AbstractApplication.get_allowed_schemescGs |j|vSrd)r)r'rr0r0r1allows_grant_type z%AbstractApplication.allows_grant_typecCsdS)z Determines whether the application can be used. :param request: The oauthlib.common.Request being processed. Tr0)r'requestr0r0r1 is_usableszAbstractApplication.is_usablecCsL|jtjkrtjs tdttjS|jtjkr"tj dt |j dStd)Nroct)ktykz/This application does not support signed tokens) rr?rrrr rrrJWKr client_secretrgr0r0r1jwk_key s   zAbstractApplication.jwk_keyN);r3r4r5__doc__CLIENT_CONFIDENTIALrr CLIENT_TYPESrrGRANT_PASSWORDGRANT_CLIENT_CREDENTIALSr GRANT_TYPES NO_ALGORITHMrrALGORITHM_TYPESr BigAutoFieldid CharFieldrrf ForeignKeyrAUTH_USER_MODELCASCADEuser TextFieldrjrwrrrrr BooleanFieldrreskip_authorization DateTimeFieldcreatedupdatedrryrbrhpropertyrprurxr|rrrrrrr0r0r0r1r?9s                1r?c@seZdZddZdS)ApplicationManagercCs |j|dS)Nrf)get)r'rfr0r0r1get_by_natural_keyriz%ApplicationManager.get_by_natural_keyN)r3r4r5rr0r0r0r1rs rc@s,eZdZeZGdddejZddZdS)rc@r_)zApplication.Meta!OAUTH2_PROVIDER_APPLICATION_MODELNr3r4r5 swappabler0r0r0r1rbrcrbcCs|jfSrdrrgr0r0r1 natural_key"szApplication.natural_keyN)r3r4r5robjectsr?rbrr0r0r0r1rs rc@seZdZdZdZdZedfedffZejddZ ej e j ej ddZejddd Zej ejej d ZeZeZejdd Zejdd Zejdd ZejddddZejdddedZejddddZejdd ZddZddZ ddZ!GdddZ"dS) AbstractGranta A Grant instance represents a token with a short lifetime that can be swapped for an access token, as described in :rfc:`4.1.2` Fields: * :attr:`user` The Django user who requested the grant * :attr:`code` The authorization code generated by the authorization server * :attr:`application` Application instance this grant was asked for * :attr:`expires` Expire time in seconds, defaults to :data:`settings.AUTHORIZATION_CODE_EXPIRE_SECONDS` * :attr:`redirect_uri` Self explained * :attr:`scope` Required scopes, optional * :attr:`code_challenge` PKCE code challenge * :attr:`code_challenge_method` PKCE code challenge transform algorithm plainS256TrJrQrUrRrY)rMrNrUrTrZr\rG)rMrTrO )rMrTrOrXcC|jsdSt|jkSz@ Check token expiration with timezone awareness Texpiresrnowrgr0r0r1 is_expiredQzAbstractGrant.is_expiredcCs ||jkSrd) redirect_urirsr0r0r1ruZrz"AbstractGrant.redirect_uri_allowedcC|jSrd)codergr0r0r1rh]zAbstractGrant.__str__c@r_)zAbstractGrant.MetaTNr`r0r0r0r1rb`rcrbN)#r3r4r5rCODE_CHALLENGE_PLAINCODE_CHALLENGE_S256CODE_CHALLENGE_METHODSr rrrrrrrrrrAPPLICATION_MODEL applicationrrrrscoperrcode_challengecode_challenge_methodnonceclaimsrrurhrbr0r0r0r1r&s4       rc@eZdZGdddejZdS)Grantc@r_)z Grant.MetaOAUTH2_PROVIDER_GRANT_MODELNrr0r0r0r1rbercrbN)r3r4r5rrbr0r0r0r1rdrc@seZdZdZejddZejej ej ddddZ ej e jejddddZeZeddddd Zej e jej ddd dZeje jej ddd ZeZejdd Zejdd ZejddZdddZddZddZ ddZ!e"ddZ#ddZ$GdddZ%dS)AbstractAccessTokena An AccessToken instance represents the actual access token to access user's resources, as in :rfc:`5`. Fields: * :attr:`user` The Django user representing resources" owner * :attr:`source_refresh_token` If from a refresh, the consumed RefeshToken * :attr:`token` Access token * :attr:`application` Application instance * :attr:`expires` Date and time of token expiration, in DateTime format * :attr:`scope` Allowed scopes TrJrQrUrTrSrRrefreshed_access_token@F)rMrTrNrP access_tokenrUrTrSrrZr\NcC| o ||Sz Checks if the access token is valid. :param scopes: An iterable containing the scopes to check or None r allow_scopesr'scopesr0r0r1is_validzAbstractAccessToken.is_validcCrrrrgr0r0r1rrzAbstractAccessToken.is_expiredcC(|sdSt|j}t|}||Sz Check if the token allows the provided scopes :param scopes: An iterable containing the scopes to check Trrrkissubsetr'rprovided_scopesresource_scopesr0r0r1r  z AbstractAccessToken.allow_scopescC |dS)z Convenience method to uniform tokens" interface, for now simply remove this token from the database in order to revoke it. Ndeletergr0r0r1revoke zAbstractAccessToken.revokec*t}|jfdd|DS)k Returns a dictionary of allowed scope names (as keys) with their descriptions (as values) ci|] \}}|vr||qSr0r0rredesc token_scopesr0r1 z.AbstractAccessToken.scopes..rget_all_scopesrrkitemsr' all_scopesr0r r1r  zAbstractAccessToken.scopescCrrdr9rgr0r0r1rhrzAbstractAccessToken.__str__c@r_)zAbstractAccessToken.MetaTNr`r0r0r0r1rbrcrbrd)&r3r4r5rr rrrrrrr OneToOneFieldrREFRESH_TOKEN_MODELSET_NULLsource_refresh_tokenrr9r8token_checksumID_TOKEN_MODELid_tokenrrrrrrrrrrrrrrhrbr0r0r0r1risb       rc@r) AccessTokenc@r_)zAccessToken.Meta"OAUTH2_PROVIDER_ACCESS_TOKEN_MODELNrr0r0r0r1rbrcrbN)r3r4r5rrbr0r0r0r1rrrc@seZdZdZejddZejej ej ddZ ej ddZ ejejej dZejejejddd d Zejddd d Zejdd ZejddZejddZddZddZGdddZdS)AbstractRefreshTokena A RefreshToken instance represents a token that can be swapped for a new access token when it expires. Fields: * :attr:`user` The Django user representing resources" owner * :attr:`token` Token value * :attr:`application` Application instance * :attr:`access_token` AccessToken instance this refresh token is bounded to * :attr:`revoked` Timestamp of when this refresh token was revoked TrJrQrrY)rMr refresh_tokenrF)rSrTeditablerZr\)rSc Cst}t|}t}tj|dP|jj|j dd}|s( WddSt |d}t |j |jj |jdWdn1sHwYd|_t|_|WddS1sdwYdS)zQ Mark this refresh token revoked and revoke related access token )usingT)rrevoked__isnullNr)r)get_access_token_modelr db_for_writeget_refresh_token_modelr atomicrselect_for_updatefilterrlistr DoesNotExistraccess_token_idrrrrrevokedsave)r'access_token_modelaccess_token_databaserefresh_token_modelr9r0r0r1rs      "zAbstractRefreshToken.revokecCrrdrrgr0r0r1rhrzAbstractRefreshToken.__str__c@seZdZdZdZdS)zAbstractRefreshToken.MetaT)r9r/N)r3r4r5raunique_togetherr0r0r0r1rbsrbN)r3r4r5rr rrrrrrrrr9rrrrACCESS_TOKEN_MODELrr UUIDField token_familyrrrr/rrhrbr0r0r0r1r!s,      r!c@r) RefreshTokenc@r_)zRefreshToken.Meta#OAUTH2_PROVIDER_REFRESH_TOKEN_MODELNrr0r0r0r1rb!rcrbN)r3r4r5r!rbr0r0r0r1r8 rr8c@seZdZdZejddZejej ej ddddZ ej de jdddZejejej ddd ZeZejdd Zejdd Zejdd ZdddZddZddZddZeddZddZGdddZ d S)AbstractIDTokena4 An IDToken instance represents the actual token to access user's resources, as in :openid:`2`. Fields: * :attr:`user` The Django user representing resources' owner * :attr:`jti` ID token JWT Token ID, to identify an individual token * :attr:`application` Application instance * :attr:`expires` Date and time of token expiration, in DateTime format * :attr:`scope` Allowed scopes * :attr:`created` Date and time of token creation, in DateTime format * :attr:`updated` Date and time of token update, in DateTime format TrJrQrFz JWT Token ID)rNrOr# verbose_namerrrZr\NcCrrrrr0r0r1rJrzAbstractIDToken.is_validcCrrrrgr0r0r1rRrzAbstractIDToken.is_expiredcCrrrrr0r0r1r[rzAbstractIDToken.allow_scopescCr)z Convenience method to uniform tokens' interface, for now simply remove this token from the database in order to revoke it. Nrrgr0r0r1rirzAbstractIDToken.revokecr)r cr r0r0r r r0r1rwrz*AbstractIDToken.scopes..rrr0r r1rprzAbstractIDToken.scopescCs dj|dS)Nz$JTI: {self.jti} User: {self.user_id}rg)rrgr0r0r1rhyrizAbstractIDToken.__str__c@r_)zAbstractIDToken.MetaTNr`r0r0r0r1rb|rcrbrd)!r3r4r5rr rrrrrrrr6uuiduuid4jtirrrrrrrrrrrrrrrrhrbr0r0r0r1r:%s:       r:c@r)IDTokenc@r_)z IDToken.MetaOAUTH2_PROVIDER_ID_TOKEN_MODELNrr0r0r0r1rbrcrbN)r3r4r5r:rbr0r0r0r1r?rr?cC ttjS)zReturn the IDToken admin class that is active in this project.)rID_TOKEN_ADMIN_CLASS)id_token_admin_classr0r0r1get_id_token_admin_classrLrUcCrH)zCReturn the RefreshToken admin class that is active in this project.)rREFRESH_TOKEN_ADMIN_CLASS)refresh_token_admin_classr0r0r1get_refresh_token_admin_classrLrXcCsrdd}t}d}t}t}t}t}tj}|r9t|t s5zt |d}Wn t y4d}t |w||}|rjt j |d} |j| } || | } td| t j |d} |j| } || | }td|ntd |t j d |d }|j|}|||}td |t j d |d }|j|}|||}td|t j |d}|j|}|||}td|dS)Nc Sstj}tj}|}}|rH|jdddd|}|}|jjjt|d t |d||d|jj|}t ||}|s|jj|}||} | S)NrT)flat)id__inz tokens deleted, z left)rCLEAR_EXPIRED_TOKENS_BATCH_SIZE#CLEAR_EXPIRED_TOKENS_BATCH_INTERVALcount values_listmodelrr+r,rr#r$timesleep) querysetqueryr[r\ current_nostart_no flat_queryset batch_lengthstop_nodeletedr0r0r1 batch_deletes   z#clear_expired..batch_delete)secondszBREFRESH_TOKEN_EXPIRE_SECONDS must be either a timedelta or seconds) revoked__ltz!%s Revoked refresh tokens deleted)access_token__expires__ltz!%s Expired refresh tokens deletedz3refresh_expire_at is %s. No refresh tokens deleted.T)refresh_token__isnull expires__ltz %s Expired access tokens deleted)access_token__isnullroz%s Expired ID tokens deleted)roz%s Expired grant tokens deleted)rrr&r(rGrFrREFRESH_TOKEN_EXPIRE_SECONDS isinstancer TypeErrorr r Qrr+r#info)rjrrefresh_expire_atr1r3id_token_model grant_modelrqe revoked_queryr/revoked_deleted_no expired_queryexpiredexpired_deleted_noaccess_token_query access_tokensaccess_tokens_delete_noid_token_query id_tokensid_tokens_delete_no grants_querygrantsgrants_deleted_nor0r0r1 clear_expiredsN                   rcCst|}tt|j}|D]J}t|}|jdko!|jdvo!|jdu}|r6|j|jkr6|j|jkr6|j|jksH|j|jkrW|j|jkrW|j|jkrWtt|j}| |rWdSq dS)a Checks if a given uri can be redirected to based on the provided allowed_uris configuration. On top of exact matches, this function also handles loopback IPs based on RFC 8252. :param uri: URI to check :param allowed_uris: A list of URIs that are allowed http)z 127.0.0.1z::1NTF) rrrrcschemehostnameportpathnetlocr)rt allowed_uris parsed_uriuqs_set allowed_uriparsed_allowed_uriallowed_uri_is_loopbackaqs_setr0r0r1rrs,         rrcCsLt|}|jtjvr dS|D]}t|}|j|jkr#|j|jkr#dSqdS)z Checks if a given origin uri is allowed based on the provided allowed_origins configuration. :param origin: Origin URI to check :param allowed_origins: A list of Origin URIs that are allowed FT)rrrrr)r{ry parsed_originallowed_originparsed_allowed_originr0r0r1rz0s   rz)Or:loggingr`r< contextlibrdatetimer urllib.parserr django.appsr django.confrdjango.contrib.auth.hashersrr rr django.dbr r r django.urlsr django.utilsrdjango.utils.translationrrjwcryptorjwcrypto.commonroauthlib.oauth2.rfc6749r generatorsrrrrrutilsr validatorsr getLoggerr3r#rrr8Modelr?Managerrrrrrrr!r8r:r?rCrFr&rGr(rKrOrRrUrXrrrrzr0r0r0r1sf                _ >oC[F .