1 files changed, 80 insertions, 0 deletions

diff --git a/qvisqve/authn_entity_manager.py b/qvisqve/authn_entity_manager.py
new file mode 100644
index 0000000..32e2da3
--- /dev/null
+++ b/qvisqve/authn_entity_manager.py
@@ -0,0 +1,80 @@
+# Copyright (C) 2018  Lars Wirzenius
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+import os
+
+import qvisqve
+import qvisqve_secrets
+
+
+class AuthenticatingEntityManager(qvisqve.EntityManager):
+
+    _hashed = 'hashed_secret'
+
+    def set_secret(self, entity_id, cleartext_secret):
+        entity = self.get(entity_id)
+        hasher = qvisqve_secrets.SecretHasher()
+        entity[self._hashed] = hasher.hash(cleartext_secret)
+        self.create(entity_id, entity)
+
+    def is_valid_secret(self, entity_id, cleartext_secret):
+        try:
+            entity = self.get(entity_id)
+        except qvisqve.ResourceDoesNotExist:
+            qvisqve.log.log(
+                'error', msg_text='Entity does not exist',
+                entity_id=entity_id)
+            return False
+
+        hashed_secret = entity.get(self._hashed)
+        if not hashed_secret:
+            qvisqve.log.log(
+                'error', msg_text='Entity does not have a hashed secret',
+                entity_id=entity_id)
+            return False
+
+        hasher = qvisqve_secrets.SecretHasher()
+        if not hasher.is_correct(hashed_secret, cleartext_secret):
+            qvisqve.log.log(
+                'error', msg_text='Client-supplied secret is WRONG',
+                entity_id=entity_id)
+            return False
+
+        qvisqve.log.log(
+            'debug', msg_text='Client-supplied secret IS correct',
+            entity_id=entity_id)
+        return True
+
+
+class ClientManager(AuthenticatingEntityManager):
+
+    def __init__(self, rs):
+        super().__init__(rs, 'client')
+
+    def set_allowed_scopes(self, client_id, scopes):
+        client = self.get(client_id)
+        client['allowed_scopes'] = scopes
+        self.create(client_id, client)
+
+    def get_allowed_scopes(self, client_id):
+        client = self.get(client_id)
+        return client.get('allowed_scopes', [])
+
+
+class UserManager(AuthenticatingEntityManager):
+
+    def __init__(self, rs):
+        super().__init__(rs, 'user')