o RD©iºã@sªddlZddlmZddlmZddlmZmZmZddl m Z ddl m Z e  d ¡ZGd d „d eƒZGd d „d eƒZGdd„deƒZGdd„deƒZGdd„deƒZdS)éN)ÚImproperlyConfigured)ÚPermissionDenied)Ú SAFE_METHODSÚBasePermissionÚIsAuthenticatedé)Úoauth2_settingsé)ÚOAuth2AuthenticationÚoauth2_providerc@ó eZdZdZdd„Zdd„ZdS)Ú TokenHasScopeúW The request is authenticated as a user and the token used has the right scope cCs„|j}|sdSt|dƒr>| ||¡}t d |¡¡| |¡r!dStjo0|o0|  ¡ o0|  |¡ }|rcsz4TokenHasResourceScope.get_scopes..r3)rr r!Ú view_scopesrr:rAr%rXs ÿz TokenHasResourceScope.get_scopesr<r$r$r:r%r?Sr>r?c@seZdZdZdd„ZdS)ÚIsAuthenticatedOrTokenHasScopeaÍ The user is authenticated using some backend or the token has the right scope This only returns True if the user is authenticated, but not using a token or using a token, and the token has the correct scope. This is useful when combined with the DjangoModelPermissions to allow people browse the browsable api's if they log in using the a non token bassed middleware, and let them access the api's using a rest client with a token cCs>tƒ ||¡}d}|rt|jtƒ}tƒ}|r| p| ||¡S)NF)rr&Ú isinstanceÚsuccessful_authenticatorr r )rr r!Úis_authenticatedÚoauth2authenticatedÚtoken_has_scoper$r$r%r&ss  z-IsAuthenticatedOrTokenHasScope.has_permissionN)r-r.r/r0r&r$r$r$r%rEhs rEc@r )ÚTokenMatchesOASRequirementsaÍ :attr:alternate_required_scopes: dict keyed by HTTP method name with value: iterable alternate scope lists This fulfills the [Open API Specification (OAS; formerly Swagger)](https://www.openapis.org/) list of alternative Security Requirements Objects for oauth2 or openIdConnect: When a list of Security Requirement Objects is defined on the Open API object or Operation Object, only one of Security Requirement Objects in the list needs to be satisfied to authorize the request. [1](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md#securityRequirementObject) For each method, a list of lists of allowed scopes is tried in order and the first to match succeeds. @example required_alternate_scopes = { 'GET': [['read']], 'POST': [['create1','scope2'], ['alt-scope3'], ['alt-scope4','alt-scope5']], } TODO: DRY: subclass TokenHasScope and iterate over values of required_scope? cCsˆ|j}|sdSt|dƒr@| ||¡}|j ¡}||vr6t d ||¡¡||D] }| |¡r3dSq)dSt  d |¡¡dSJdƒ‚)NFrz4Required scopes alternatives to access resource: {0}Tz*no scope alternates defined for method {0}z~TokenMatchesOASRequirements requires the`oauth2_provider.rest_framework.OAuth2Authentication` authentication class to be used.) rrÚget_required_alternate_scopesr5r6rrrrÚwarning)rr r!r"Úrequired_alternate_scopesÚmÚaltr$r$r%r&’s,   ÿÿ  ÿÿz*TokenMatchesOASRequirements.has_permissioncCr')NrNz_TokenMatchesOASRequirements requires the view to define the required_alternate_scopes attributer(r+r$r$r%rL°r,z9TokenMatchesOASRequirements.get_required_alternate_scopesN)r-r.r/r0r&rLr$r$r$r%rK}s rK)ÚloggingÚdjango.core.exceptionsrÚrest_framework.exceptionsrÚrest_framework.permissionsrrrÚsettingsrÚauthenticationr Ú getLoggerrr r2r?rErKr$r$r$r%Ús     1