django-oidc-provider/oidc_provider/models.py

# -*- coding: utf-8 -*-
import base64
import binascii
from hashlib import md5, sha256
import json

from django.db import models
from django.utils import timezone
from django.utils.translation import ugettext_lazy as _
from django.conf import settings


CLIENT_TYPE_CHOICES = [
    ('confidential', 'Confidential'),
    ('public', 'Public'),
]

RESPONSE_TYPE_CHOICES = [
    ('code', 'code (Authorization Code Flow)'),
    ('id_token', 'id_token (Implicit Flow)'),
    ('id_token token', 'id_token token (Implicit Flow)'),
    ('code token', 'code token (Hybrid Flow)'),
    ('code id_token', 'code id_token (Hybrid Flow)'),
    ('code id_token token', 'code id_token token (Hybrid Flow)'),
]

JWT_ALGS = [
    ('HS256', 'HS256'),
    ('RS256', 'RS256'),
]


class Client(models.Model):

    name = models.CharField(max_length=100, default='', verbose_name=_(u'Name'))
    client_type = models.CharField(max_length=30, choices=CLIENT_TYPE_CHOICES, default='confidential', verbose_name=_(u'Client Type'), help_text=_(u'<b>Confidential</b> clients are capable of maintaining the confidentiality of their credentials. <b>Public</b> clients are incapable.'))
    client_id = models.CharField(max_length=255, unique=True, verbose_name=_(u'Client ID'))
    client_secret = models.CharField(max_length=255, blank=True, verbose_name=_(u'Client SECRET'))
    response_type = models.CharField(max_length=30, choices=RESPONSE_TYPE_CHOICES, verbose_name=_(u'Response Type'))
    jwt_alg = models.CharField(max_length=10, choices=JWT_ALGS, default='RS256', verbose_name=_(u'JWT Algorithm'), help_text=_(u'Algorithm used to encode ID Tokens.'))
    date_created = models.DateField(auto_now_add=True, verbose_name=_(u'Date Created'))
    website_url = models.CharField(max_length=255, blank=True, default='', verbose_name=_(u'Website URL'))
    terms_url = models.CharField(max_length=255, blank=True, default='', verbose_name=_(u'Terms URL'), help_text=_(u'External reference to the privacy policy of the client.'))
    contact_email = models.CharField(max_length=255, blank=True, default='', verbose_name=_(u'Contact Email'))
    logo = models.FileField(blank=True, default='', upload_to='oidc_provider/clients', verbose_name=_(u'Logo Image'))
    reuse_consent = models.BooleanField(default=True, verbose_name=_('Reuse Consent?'), help_text=_('If enabled, the Server will save the user consent given to a specific client, so that user won\'t be prompted for the same authorization multiple times.'))
    require_consent = models.BooleanField(default=True, verbose_name=_('Require Consent?'), help_text=_('If disabled, the Server will NEVER ask the user for consent.'))

    _redirect_uris = models.TextField(default='', verbose_name=_(u'Redirect URIs'), help_text=_(u'Enter each URI on a new line.'))
    def redirect_uris():
        def fget(self):
            return self._redirect_uris.splitlines()
        def fset(self, value):
            self._redirect_uris = '\n'.join(value)
        return locals()
    redirect_uris = property(**redirect_uris())

    _post_logout_redirect_uris = models.TextField(blank=True, default='', verbose_name=_(u'Post Logout Redirect URIs'), help_text=_(u'Enter each URI on a new line.'))
    def post_logout_redirect_uris():
        def fget(self):
            return self._post_logout_redirect_uris.splitlines()
        def fset(self, value):
            self._post_logout_redirect_uris = '\n'.join(value)
        return locals()
    post_logout_redirect_uris = property(**post_logout_redirect_uris())

    class Meta:
        verbose_name = _(u'Client')
        verbose_name_plural = _(u'Clients')

    def __str__(self):
        return u'{0}'.format(self.name)

    def __unicode__(self):
        return self.__str__()


    @property
    def default_redirect_uri(self):
        return self.redirect_uris[0] if self.redirect_uris else ''


class BaseCodeTokenModel(models.Model):

    user = models.ForeignKey(settings.AUTH_USER_MODEL, verbose_name=_(u'User'), on_delete=models.CASCADE)
    client = models.ForeignKey(Client, verbose_name=_(u'Client'), on_delete=models.CASCADE)
    expires_at = models.DateTimeField(verbose_name=_(u'Expiration Date'))
    _scope = models.TextField(default='', verbose_name=_(u'Scopes'))

    def scope():
        def fget(self):
            return self._scope.split()

        def fset(self, value):
            self._scope = ' '.join(value)

        return locals()
    scope = property(**scope())

    def has_expired(self):
        return timezone.now() >= self.expires_at

    def __str__(self):
        return u'{0} - {1}'.format(self.client, self.user.email)

    def __unicode__(self):
        return self.__str__()

    class Meta:
        abstract = True


class Code(BaseCodeTokenModel):

    code = models.CharField(max_length=255, unique=True, verbose_name=_(u'Code'))
    nonce = models.CharField(max_length=255, blank=True, default='', verbose_name=_(u'Nonce'))
    is_authentication = models.BooleanField(default=False, verbose_name=_(u'Is Authentication?'))
    code_challenge = models.CharField(max_length=255, null=True, verbose_name=_(u'Code Challenge'))
    code_challenge_method = models.CharField(max_length=255, null=True, verbose_name=_(u'Code Challenge Method'))

    class Meta:
        verbose_name = _(u'Authorization Code')
        verbose_name_plural = _(u'Authorization Codes')


class Token(BaseCodeTokenModel):

    access_token = models.CharField(max_length=255, unique=True, verbose_name=_(u'Access Token'))
    refresh_token = models.CharField(max_length=255, unique=True, verbose_name=_(u'Refresh Token'))
    _id_token = models.TextField(verbose_name=_(u'ID Token'))

    def id_token():

        def fget(self):
            return json.loads(self._id_token)

        def fset(self, value):
            self._id_token = json.dumps(value)

        return locals()
    id_token = property(**id_token())

    class Meta:
        verbose_name = _(u'Token')
        verbose_name_plural = _(u'Tokens')

    @property
    def at_hash(self):
        # @@@ d-o-p only supports 256 bits (change this if that changes)
        hashed_access_token = sha256(
            self.access_token.encode('ascii')
        ).hexdigest().encode('ascii')
        return base64.urlsafe_b64encode(
            binascii.unhexlify(
                hashed_access_token[:len(hashed_access_token) // 2]
            )
        ).rstrip(b'=').decode('ascii')


class UserConsent(BaseCodeTokenModel):

    date_given = models.DateTimeField(verbose_name=_(u'Date Given'))

    class Meta:
        unique_together = ('user', 'client')


class RSAKey(models.Model):

    key = models.TextField(verbose_name=_(u'Key'), help_text=_(u'Paste your private RSA Key here.'))

    class Meta:
        verbose_name = _(u'RSA Key')
        verbose_name_plural = _(u'RSA Keys')

    def __str__(self):
        return u'{0}'.format(self.kid)

    def __unicode__(self):
        return self.__str__()

    @property
    def kid(self):
        return u'{0}'.format(md5(self.key.encode('utf-8')).hexdigest() if self.key else '')
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00			`# -- coding: utf-8 --`
Added at_hash when access token is present This is required by response type "id_token token", but can be used by other flows if they choose. 2016-08-05 19:11:01 +00:00			`import base64`
			`import binascii`
			`from hashlib import md5, sha256`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`import json`

Initial commit. 2014-12-19 15:27:43 +00:00			`from django.db import models`
			`from django.utils import timezone`
Improve admin models. 2015-12-04 16:55:04 +00:00			`from django.utils.translation import ugettext_lazy as _`
Use models setting instead of User 2015-07-21 13:57:23 +00:00			`from django.conf import settings`
Initial commit. 2014-12-19 15:27:43 +00:00

Merge branch 'v0.3.x' of https://github.com/juanifioren/django-oidc-provider into feature-jwtalg 2016-04-25 17:55:30 +00:00			`CLIENT_TYPE_CHOICES = [`
			`('confidential', 'Confidential'),`
			`('public', 'Public'),`
			`]`

			`RESPONSE_TYPE_CHOICES = [`
			`('code', 'code (Authorization Code Flow)'),`
			`('id_token', 'id_token (Implicit Flow)'),`
			`('id_token token', 'id_token token (Implicit Flow)'),`
Add Hybrid flow login in view and models. 2016-09-08 19:21:48 +00:00			`('code token', 'code token (Hybrid Flow)'),`
			`('code id_token', 'code id_token (Hybrid Flow)'),`
			`('code id_token token', 'code id_token token (Hybrid Flow)'),`
Merge branch 'v0.3.x' of https://github.com/juanifioren/django-oidc-provider into feature-jwtalg 2016-04-25 17:55:30 +00:00			`]`
Initial commit. 2014-12-19 15:27:43 +00:00
Merge branch 'v0.3.x' of https://github.com/juanifioren/django-oidc-provider into feature-jwtalg 2016-04-25 17:55:30 +00:00			`JWT_ALGS = [`
			`('HS256', 'HS256'),`
			`('RS256', 'RS256'),`
			`]`
Initial commit. 2014-12-19 15:27:43 +00:00
flake8 fixes 2016-08-08 17:54:40 +00:00
Merge branch 'v0.3.x' of https://github.com/juanifioren/django-oidc-provider into feature-jwtalg 2016-04-25 17:55:30 +00:00			`class Client(models.Model):`
Add HS256 support for JWS. 2016-03-22 19:17:56 +00:00
Add date_given to UserConsent model. Add verbose names in models. 2016-06-13 15:15:10 +00:00			`name = models.CharField(max_length=100, default='', verbose_name=_(u'Name'))`
			`client_type = models.CharField(max_length=30, choices=CLIENT_TYPE_CHOICES, default='confidential', verbose_name=_(u'Client Type'), help_text=_(u'<b>Confidential</b> clients are capable of maintaining the confidentiality of their credentials. <b>Public</b> clients are incapable.'))`
			`client_id = models.CharField(max_length=255, unique=True, verbose_name=_(u'Client ID'))`
fix for generating client secret 2016-10-05 15:37:49 +00:00			`client_secret = models.CharField(max_length=255, blank=True, verbose_name=_(u'Client SECRET'))`
Add date_given to UserConsent model. Add verbose names in models. 2016-06-13 15:15:10 +00:00			`response_type = models.CharField(max_length=30, choices=RESPONSE_TYPE_CHOICES, verbose_name=_(u'Response Type'))`
Add more attr to Client object. 2016-09-09 18:57:25 +00:00			`jwt_alg = models.CharField(max_length=10, choices=JWT_ALGS, default='RS256', verbose_name=_(u'JWT Algorithm'), help_text=_(u'Algorithm used to encode ID Tokens.'))`
Add date_given to UserConsent model. Add verbose names in models. 2016-06-13 15:15:10 +00:00			`date_created = models.DateField(auto_now_add=True, verbose_name=_(u'Date Created'))`
Add more attr to Client object. 2016-09-09 18:57:25 +00:00			`website_url = models.CharField(max_length=255, blank=True, default='', verbose_name=_(u'Website URL'))`
			`terms_url = models.CharField(max_length=255, blank=True, default='', verbose_name=_(u'Terms URL'), help_text=_(u'External reference to the privacy policy of the client.'))`
			`contact_email = models.CharField(max_length=255, blank=True, default='', verbose_name=_(u'Contact Email'))`
			`logo = models.FileField(blank=True, default='', upload_to='oidc_provider/clients', verbose_name=_(u'Logo Image'))`
Adds per-client consent customization 2017-03-31 16:34:03 +00:00			`reuse_consent = models.BooleanField(default=True, verbose_name=_('Reuse Consent?'), help_text=_('If enabled, the Server will save the user consent given to a specific client, so that user won\'t be prompted for the same authorization multiple times.'))`
			`require_consent = models.BooleanField(default=True, verbose_name=_('Require Consent?'), help_text=_('If disabled, the Server will NEVER ask the user for consent.'))`
Initial commit. 2014-12-19 15:27:43 +00:00
Add date_given to UserConsent model. Add verbose names in models. 2016-06-13 15:15:10 +00:00			`_redirect_uris = models.TextField(default='', verbose_name=_(u'Redirect URIs'), help_text=_(u'Enter each URI on a new line.'))`
Add post_logout_redirect_uris for Client model. 2016-10-31 19:36:58 +00:00			`def redirect_uris():`
			`def fget(self):`
			`return self._redirect_uris.splitlines()`
			`def fset(self, value):`
			`self._redirect_uris = '\n'.join(value)`
			`return locals()`
			`redirect_uris = property(**redirect_uris())`

			`_post_logout_redirect_uris = models.TextField(blank=True, default='', verbose_name=_(u'Post Logout Redirect URIs'), help_text=_(u'Enter each URI on a new line.'))`
			`def post_logout_redirect_uris():`
			`def fget(self):`
			`return self._post_logout_redirect_uris.splitlines()`
			`def fset(self, value):`
			`self._post_logout_redirect_uris = '\n'.join(value)`
			`return locals()`
			`post_logout_redirect_uris = property(**post_logout_redirect_uris())`
Improve admin models. 2015-12-04 16:55:04 +00:00
			`class Meta:`
			`verbose_name = _(u'Client')`
			`verbose_name_plural = _(u'Clients')`

add __str__ and __unicode__ methods to models so they look better in the admin pages 2015-05-30 11:54:04 +00:00			`def __str__(self):`
Fix incorrect mixture of %s and format 2015-11-02 16:19:03 +00:00			`return u'{0}'.format(self.name)`
add __str__ and __unicode__ methods to models so they look better in the admin pages 2015-05-30 11:54:04 +00:00
			`def __unicode__(self):`
			`return self.__str__()`
Add date_given to UserConsent model. Add verbose names in models. 2016-06-13 15:15:10 +00:00
flake8 fixes 2016-08-08 17:54:40 +00:00
Initial commit. 2014-12-19 15:27:43 +00:00
			`@property`
			`def default_redirect_uri(self):`
Fix bug in default_redirect_uri property. 2015-01-16 18:03:41 +00:00			`return self.redirect_uris[0] if self.redirect_uris else ''`
Initial commit. 2014-12-19 15:27:43 +00:00
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00
Add abstract class for Code and Token models. 2015-04-21 18:19:43 +00:00			`class BaseCodeTokenModel(models.Model):`
Initial commit. 2014-12-19 15:27:43 +00:00
Preparing v0.5.2 (#201) * Fix infinite login loop if "prompt=login" (#198) * Fix Django 2.0 deprecation warnings (#185) 2017-08-22 15:33:13 +00:00			`user = models.ForeignKey(settings.AUTH_USER_MODEL, verbose_name=_(u'User'), on_delete=models.CASCADE)`
			`client = models.ForeignKey(Client, verbose_name=_(u'Client'), on_delete=models.CASCADE)`
Add date_given to UserConsent model. Add verbose names in models. 2016-06-13 15:15:10 +00:00			`expires_at = models.DateTimeField(verbose_name=_(u'Expiration Date'))`
			`_scope = models.TextField(default='', verbose_name=_(u'Scopes'))`
add __str__ and __unicode__ methods to models so they look better in the admin pages 2015-05-30 11:54:04 +00:00
Add abstract class for Code and Token models. 2015-04-21 18:19:43 +00:00			`def scope():`
			`def fget(self):`
			`return self._scope.split()`
flake8 fixes 2016-08-08 17:54:40 +00:00
Add abstract class for Code and Token models. 2015-04-21 18:19:43 +00:00			`def fset(self, value):`
			`self._scope = ' '.join(value)`
flake8 fixes 2016-08-08 17:54:40 +00:00
Add abstract class for Code and Token models. 2015-04-21 18:19:43 +00:00			`return locals()`
			`scope = property(**scope())`
Initial commit. 2014-12-19 15:27:43 +00:00
			`def has_expired(self):`
			`return timezone.now() >= self.expires_at`

add __str__ and __unicode__ methods to models so they look better in the admin pages 2015-05-30 11:54:04 +00:00			`def __str__(self):`
Provide doc for user consent model. 2016-06-13 16:26:33 +00:00			`return u'{0} - {1}'.format(self.client, self.user.email)`
add __str__ and __unicode__ methods to models so they look better in the admin pages 2015-05-30 11:54:04 +00:00
			`def __unicode__(self):`
			`return self.__str__()`
Add date_given to UserConsent model. Add verbose names in models. 2016-06-13 15:15:10 +00:00
Add abstract class for Code and Token models. 2015-04-21 18:19:43 +00:00			`class Meta:`
			`abstract = True`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00
Initial commit. 2014-12-19 15:27:43 +00:00
Add abstract class for Code and Token models. 2015-04-21 18:19:43 +00:00			`class Code(BaseCodeTokenModel):`
Auto now 2015-02-06 17:26:34 +00:00
Add date_given to UserConsent model. Add verbose names in models. 2016-06-13 15:15:10 +00:00			`code = models.CharField(max_length=255, unique=True, verbose_name=_(u'Code'))`
			`nonce = models.CharField(max_length=255, blank=True, default='', verbose_name=_(u'Nonce'))`
			`is_authentication = models.BooleanField(default=False, verbose_name=_(u'Is Authentication?'))`
			`code_challenge = models.CharField(max_length=255, null=True, verbose_name=_(u'Code Challenge'))`
			`code_challenge_method = models.CharField(max_length=255, null=True, verbose_name=_(u'Code Challenge Method'))`
Initial commit. 2014-12-19 15:27:43 +00:00
Improve admin models. 2015-12-04 16:55:04 +00:00			`class Meta:`
			`verbose_name = _(u'Authorization Code')`
			`verbose_name_plural = _(u'Authorization Codes')`

Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00
Add abstract class for Code and Token models. 2015-04-21 18:19:43 +00:00			`class Token(BaseCodeTokenModel):`

Add date_given to UserConsent model. Add verbose names in models. 2016-06-13 15:15:10 +00:00			`access_token = models.CharField(max_length=255, unique=True, verbose_name=_(u'Access Token'))`
Fix refresh_token cannot be primary key if null. 2016-12-12 19:46:21 +00:00			`refresh_token = models.CharField(max_length=255, unique=True, verbose_name=_(u'Refresh Token'))`
Add date_given to UserConsent model. Add verbose names in models. 2016-06-13 15:15:10 +00:00			`_id_token = models.TextField(verbose_name=_(u'ID Token'))`
flake8 fixes 2016-08-08 17:54:40 +00:00
Initial commit. 2014-12-19 15:27:43 +00:00			`def id_token():`
flake8 fixes 2016-08-08 17:54:40 +00:00
Initial commit. 2014-12-19 15:27:43 +00:00			`def fget(self):`
			`return json.loads(self._id_token)`
flake8 fixes 2016-08-08 17:54:40 +00:00
Initial commit. 2014-12-19 15:27:43 +00:00			`def fset(self, value):`
			`self._id_token = json.dumps(value)`
flake8 fixes 2016-08-08 17:54:40 +00:00
Initial commit. 2014-12-19 15:27:43 +00:00			`return locals()`
			`id_token = property(**id_token())`

Improve admin models. 2015-12-04 16:55:04 +00:00			`class Meta:`
			`verbose_name = _(u'Token')`
			`verbose_name_plural = _(u'Tokens')`

Added at_hash when access token is present This is required by response type "id_token token", but can be used by other flows if they choose. 2016-08-05 19:11:01 +00:00			`@property`
			`def at_hash(self):`
			`# @@@ d-o-p only supports 256 bits (change this if that changes)`
			`hashed_access_token = sha256(`
			`self.access_token.encode('ascii')`
			`).hexdigest().encode('ascii')`
			`return base64.urlsafe_b64encode(`
			`binascii.unhexlify(`
			`hashed_access_token[:len(hashed_access_token) // 2]`
			`)`
			`).rstrip(b'=').decode('ascii')`

Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00
Add UserConsent to models. 2015-06-22 21:42:04 +00:00			`class UserConsent(BaseCodeTokenModel):`
Improve admin models. 2015-12-04 16:55:04 +00:00
Add date_given to UserConsent model. Add verbose names in models. 2016-06-13 15:15:10 +00:00			`date_given = models.DateTimeField(verbose_name=_(u'Date Given'))`

Make (user, client) unique on UserConsent We assume this combination is unique with our get and get_or_create calls. 2015-11-10 10:29:05 +00:00			`class Meta:`
			`unique_together = ('user', 'client')`
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00

			`class RSAKey(models.Model):`

Add date_given to UserConsent model. Add verbose names in models. 2016-06-13 15:15:10 +00:00			`key = models.TextField(verbose_name=_(u'Key'), help_text=_(u'Paste your private RSA Key here.'))`
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00
			`class Meta:`
			`verbose_name = _(u'RSA Key')`
			`verbose_name_plural = _(u'RSA Keys')`

			`def __str__(self):`
			`return u'{0}'.format(self.kid)`

			`def __unicode__(self):`
			`return self.__str__()`

			`@property`
			`def kid(self):`
flake8 fixes 2016-08-08 17:54:40 +00:00			`return u'{0}'.format(md5(self.key.encode('utf-8')).hexdigest() if self.key else '')`