summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLars Wirzenius <liw@liw.fi>2018-08-16 14:51:03 +0300
committerLars Wirzenius <liw@liw.fi>2018-08-16 14:51:03 +0300
commit6eac3fa1cf2a0f5b418e9336c54219c30edb4222 (patch)
tree6e1e445ff420be316a6db91c01a8ec009aba6dac
parent8b037ebc76e5b8a0d429a0c365514b0c41d6022e (diff)
downloadqvisqve-6eac3fa1cf2a0f5b418e9336c54219c30edb4222.tar.gz
Change: get allowed scopes from user, not client, for authz code flo
-rw-r--r--qvisqve/token_router.py9
-rw-r--r--yarns/300-end-user-auth.yarn5
-rw-r--r--yarns/900-local.yarn17
-rw-r--r--yarns/lib.py9
4 files changed, 30 insertions, 10 deletions
diff --git a/qvisqve/token_router.py b/qvisqve/token_router.py
index ea37065..4778063 100644
--- a/qvisqve/token_router.py
+++ b/qvisqve/token_router.py
@@ -26,10 +26,10 @@ import qvisqve_secrets
class TokenRouter(qvisqve.Router):
- def __init__(self, token_generator, clients, authz_attempts):
+ def __init__(self, token_generator, clients, users, authz_attempts):
qvisqve.log.log('debug', msg_text='TokenRouter init starts')
super().__init__()
- args = (clients, token_generator, authz_attempts)
+ args = (users, clients, token_generator, authz_attempts)
self._grants = {
'client_credentials': ClientCredentialsGrant(*args),
'authorization_code': AuthorizationCodeGrant(*args),
@@ -75,7 +75,8 @@ class TokenRouter(qvisqve.Router):
class Grant:
- def __init__(self, clients, generator, authz_attempts):
+ def __init__(self, users, clients, generator, authz_attempts):
+ self._users = users
self._clients = clients
self._generator = generator
self._attempts = authz_attempts
@@ -141,7 +142,7 @@ class AuthorizationCodeGrant(Grant):
subject_id = aa.get_subject_id()
scope = aa.get_scope()
- allowed = self._clients.get_allowed_scopes(client_id)
+ allowed = self._users.get_allowed_scopes(subject_id)
scope = ' '.join(
s
for s in scope.split()
diff --git a/yarns/300-end-user-auth.yarn b/yarns/300-end-user-auth.yarn
index 98295fb..e6b6e66 100644
--- a/yarns/300-end-user-auth.yarn
+++ b/yarns/300-end-user-auth.yarn
@@ -86,6 +86,7 @@ registerd, before the login process starts.
GIVEN a Qvisqve configuration for "https://qvisqve"
AND Qvisqve configuration has user account tomjon with password hunter2
+ AND Qvisqve configuration allows user tomjon scopes foo bar
AND Qvisqve configuration has application facade
... with callback url https://facade/callback
... and secret happydays
@@ -115,7 +116,7 @@ unique, hard-to-guess value every time the user authenication starts
anew. Note that this should probably be different from the `state`
value from the facade (FIXME: why?).
- WHEN browser requests GET /auth?response_type=code&scope=openid+read&client_id=facade&state=RANDOM&redirect_uri=https://facade/callback
+ WHEN browser requests GET /auth?response_type=code&scope=openid+foo+yo&client_id=facade&state=RANDOM&redirect_uri=https://facade/callback
THEN HTTP status code is 200 OK
AND Content-Type is text/html
AND body has an HTML form with field username
@@ -179,7 +180,7 @@ this. Needs research and thinking.
AND JSON body has field token_type, with value Bearer
AND JSON body has field expires_in
- AND access token has a scope field set to read
+ AND access token has a scope field set to foo
AND access token has a sub field set to tomjon
The authorization code can't be re-used.
diff --git a/yarns/900-local.yarn b/yarns/900-local.yarn
index c9721bc..cae5db1 100644
--- a/yarns/900-local.yarn
+++ b/yarns/900-local.yarn
@@ -40,7 +40,22 @@ along with this program. If not, see <http://www.gnu.org/licenses/>.
IMPLEMENTS GIVEN Qvisqve configuration has user account (\S+) with password (\S+)
username = get_next_match()
password = get_next_match()
- V['users'] = { username: password }
+ user = {
+ 'password': password,
+ }
+ users = V['users'] or {}
+ users[username] = {'password': password}
+ V['users'] = users
+
+ IMPLEMENTS GIVEN Qvisqve configuration allows user (\S+) scopes (.+)
+ username = get_next_match()
+ scopes = get_next_match()
+ users = V['users']
+ print('users', users)
+ user = users[username]
+ user['scopes'] = scopes.split()
+ users[username] = user
+ V['users'] = users
IMPLEMENTS GIVEN Qvisqve configuration has application (\S+) with callback url (\S+) and secret (\S+) and allowed scopes (.+)
app = get_next_match()
diff --git a/yarns/lib.py b/yarns/lib.py
index 96c93ad..a9ba526 100644
--- a/yarns/lib.py
+++ b/yarns/lib.py
@@ -205,11 +205,14 @@ def start_qvisqve():
with open(filename, 'w') as f:
yaml.safe_dump(spec, stream=f)
- users = V['users']
- for name in users or []:
+ users = V['users'] or {}
+ print('users:', users)
+ for name, user in users.items():
+ print('add user', name, user)
filename = os.path.join(store, 'user', name)
spec = {
- 'hashed_secret': sh.hash(users[name]),
+ 'hashed_secret': sh.hash(user['password']),
+ 'allowed_scopes': user['scopes'],
}
with open(filename, 'w') as f:
yaml.safe_dump(spec, stream=f)