From 6eac3fa1cf2a0f5b418e9336c54219c30edb4222 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Thu, 16 Aug 2018 14:51:03 +0300
Subject: Change: get allowed scopes from user, not client, for authz code flo

---
 qvisqve/token_router.py      |  9 +++++----
 yarns/300-end-user-auth.yarn |  5 +++--
 yarns/900-local.yarn         | 17 ++++++++++++++++-
 yarns/lib.py                 |  9 ++++++---
 4 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/qvisqve/token_router.py b/qvisqve/token_router.py
index ea37065..4778063 100644
--- a/qvisqve/token_router.py
+++ b/qvisqve/token_router.py
@@ -26,10 +26,10 @@ import qvisqve_secrets
 
 class TokenRouter(qvisqve.Router):
 
-    def __init__(self, token_generator, clients, authz_attempts):
+    def __init__(self, token_generator, clients, users, authz_attempts):
         qvisqve.log.log('debug', msg_text='TokenRouter init starts')
         super().__init__()
-        args = (clients, token_generator, authz_attempts)
+        args = (users, clients, token_generator, authz_attempts)
         self._grants = {
             'client_credentials': ClientCredentialsGrant(*args),
             'authorization_code': AuthorizationCodeGrant(*args),
@@ -75,7 +75,8 @@ class TokenRouter(qvisqve.Router):
 
 class Grant:
 
-    def __init__(self, clients, generator, authz_attempts):
+    def __init__(self, users, clients, generator, authz_attempts):
+        self._users = users
         self._clients = clients
         self._generator = generator
         self._attempts = authz_attempts
@@ -141,7 +142,7 @@ class AuthorizationCodeGrant(Grant):
 
         subject_id = aa.get_subject_id()
         scope = aa.get_scope()
-        allowed = self._clients.get_allowed_scopes(client_id)
+        allowed = self._users.get_allowed_scopes(subject_id)
         scope = ' '.join(
             s
             for s in scope.split()
diff --git a/yarns/300-end-user-auth.yarn b/yarns/300-end-user-auth.yarn
index 98295fb..e6b6e66 100644
--- a/yarns/300-end-user-auth.yarn
+++ b/yarns/300-end-user-auth.yarn
@@ -86,6 +86,7 @@ registerd, before the login process starts.
 
     GIVEN a Qvisqve configuration for "https://qvisqve"
     AND Qvisqve configuration has user account tomjon with password hunter2
+    AND Qvisqve configuration allows user tomjon scopes foo bar
     AND Qvisqve configuration has application facade
     ... with callback url https://facade/callback
     ... and secret happydays
@@ -115,7 +116,7 @@ unique, hard-to-guess value every time the user authenication starts
 anew. Note that this should probably be different from the `state`
 value from the facade (FIXME: why?).
 
-    WHEN browser requests GET /auth?response_type=code&scope=openid+read&client_id=facade&state=RANDOM&redirect_uri=https://facade/callback
+    WHEN browser requests GET /auth?response_type=code&scope=openid+foo+yo&client_id=facade&state=RANDOM&redirect_uri=https://facade/callback
     THEN HTTP status code is 200 OK
     AND Content-Type is text/html
     AND body has an HTML form with field username
@@ -179,7 +180,7 @@ this. Needs research and thinking.
     AND JSON body has field token_type, with value Bearer
     AND JSON body has field expires_in
 
-    AND access token has a scope field set to read
+    AND access token has a scope field set to foo
     AND access token has a sub field set to tomjon
 
 The authorization code can't be re-used.
diff --git a/yarns/900-local.yarn b/yarns/900-local.yarn
index c9721bc..cae5db1 100644
--- a/yarns/900-local.yarn
+++ b/yarns/900-local.yarn
@@ -40,7 +40,22 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
     IMPLEMENTS GIVEN Qvisqve configuration has user account (\S+) with password (\S+)
     username = get_next_match()
     password = get_next_match()
-    V['users'] = { username: password }
+    user = {
+        'password': password,
+    }
+    users = V['users'] or {}
+    users[username] = {'password': password}
+    V['users'] = users
+
+    IMPLEMENTS GIVEN Qvisqve configuration allows user (\S+) scopes (.+)
+    username = get_next_match()
+    scopes = get_next_match()
+    users = V['users']
+    print('users', users)
+    user = users[username]
+    user['scopes'] = scopes.split()
+    users[username] = user
+    V['users'] = users
 
     IMPLEMENTS GIVEN Qvisqve configuration has application (\S+) with callback url (\S+) and secret (\S+) and allowed scopes (.+)
     app = get_next_match()
diff --git a/yarns/lib.py b/yarns/lib.py
index 96c93ad..a9ba526 100644
--- a/yarns/lib.py
+++ b/yarns/lib.py
@@ -205,11 +205,14 @@ def start_qvisqve():
         with open(filename, 'w') as f:
             yaml.safe_dump(spec, stream=f)
 
-    users = V['users']
-    for name in users or []:
+    users = V['users'] or {}
+    print('users:', users)
+    for name, user in users.items():
+        print('add user', name, user)
         filename = os.path.join(store, 'user', name)
         spec = {
-            'hashed_secret': sh.hash(users[name]),
+            'hashed_secret': sh.hash(user['password']),
+            'allowed_scopes': user['scopes'],
         }
         with open(filename, 'w') as f:
             yaml.safe_dump(spec, stream=f)
-- 
cgit v1.2.1