import os
import logging
-from routes.route import Route
-from webob import exc
-
from mediagoblin.tools import pluginapi
-from mediagoblin.tools.response import render_to_response
-from mediagoblin.plugins.oauth.models import OAuthToken
+from mediagoblin.plugins.oauth.models import OAuthToken, OAuthClient, \
+ OAuthUserClient
+from mediagoblin.plugins.api.tools import Auth
_log = logging.getLogger(__name__)
_log.debug('OAuth config: {0}'.format(config))
routes = [
- Route('mediagoblin.plugins.oauth.authorize', '/oauth/authorize',
- controller='mediagoblin.plugins.oauth.views:authorize'),
- Route('mediagoblin.plugins.oauth.access_token', '/oauth/access_token',
- controller='mediagoblin.plugins.oauth.views:access_token')]
+ ('mediagoblin.plugins.oauth.authorize',
+ '/oauth/authorize',
+ 'mediagoblin.plugins.oauth.views:authorize'),
+ ('mediagoblin.plugins.oauth.authorize_client',
+ '/oauth/client/authorize',
+ 'mediagoblin.plugins.oauth.views:authorize_client'),
+ ('mediagoblin.plugins.oauth.access_token',
+ '/oauth/access_token',
+ 'mediagoblin.plugins.oauth.views:access_token'),
+ ('mediagoblin.plugins.oauth.list_connections',
+ '/oauth/client/connections',
+ 'mediagoblin.plugins.oauth.views:list_connections'),
+ ('mediagoblin.plugins.oauth.register_client',
+ '/oauth/client/register',
+ 'mediagoblin.plugins.oauth.views:register_client'),
+ ('mediagoblin.plugins.oauth.list_clients',
+ '/oauth/client/list',
+ 'mediagoblin.plugins.oauth.views:list_clients')]
pluginapi.register_routes(routes)
pluginapi.register_template_path(os.path.join(PLUGIN_DIR, 'templates'))
-class OAuthAuth(object):
- '''
- An object with two significant methods, 'trigger' and 'run'.
-
- Using a similar object to this, plugins can register specific
- authentication logic, for example the GET param 'access_token' for OAuth.
-
- - trigger: Analyze the 'request' argument, return True if you think you
- can handle the request, otherwise return False
- - run: The authentication logic, set the request.user object to the user
- you intend to authenticate and return True, otherwise return False.
-
- If run() returns False, an HTTP 403 Forbidden error will be shown.
-
- You may also display custom errors, just raise them within the run()
- method.
- '''
- def __init__(self):
- pass
-
+class OAuthAuth(Auth):
def trigger(self, request):
- return True
+ if 'access_token' in request.GET:
+ return True
+
+ return False
def __call__(self, request, *args, **kw):
+ self.errors = []
+ # TODO: Add suport for client credentials authorization
+ client_id = request.GET.get('client_id') # TODO: Not used
+ client_secret = request.GET.get('client_secret') # TODO: Not used
access_token = request.GET.get('access_token')
+
+ _log.debug('Authorizing request {0}'.format(request.url))
+
if access_token:
token = OAuthToken.query.filter(OAuthToken.token == access_token)\
.first()
if not token:
+ self.errors.append('Invalid access token')
+ return False
+
+ _log.debug('Access token: {0}'.format(token))
+ _log.debug('Client: {0}'.format(token.client))
+
+ relation = OAuthUserClient.query.filter(
+ (OAuthUserClient.user == token.user)
+ & (OAuthUserClient.client == token.client)
+ & (OAuthUserClient.state == u'approved')).first()
+
+ _log.debug('Relation: {0}'.format(relation))
+
+ if not relation:
+ self.errors.append(
+ u'Client has not been approved by the resource owner')
return False
request.user = token.user
+ return True
- return True
+ self.errors.append(u'No access_token specified')
+ return False
hooks = {
'setup': setup_plugin,