refactor, implement next attribute, for forward, service need user approve berfore redirect

2020-05-13 17:04:22 +02:00 · 2020-05-13 17:04:22 +02:00 · 5037fe4def
parent 77962edd15
commit 5037fe4def
8 changed files with 82 additions and 40 deletions
--- a/lenticular_cloud/app.py
+++ b/lenticular_cloud/app.py
@ -144,9 +144,9 @@ def oidc_provider_init_app(name=None):

    app.babel = Babel(app)
    app.login_manager = LoginManager(app)
-    init_login_manager(app)

-    from .views import oidc_provider_views, auth_views, frontend_views
+    from .views import oidc_provider_views, auth_views, frontend_views, init_login_manager
+    init_login_manager(app)
    app.register_blueprint(oidc_provider_views)
    app.register_blueprint(auth_views)
    app.register_blueprint(frontend_views)
@ -171,16 +171,3 @@ def oidc_provider_init_app(name=None):

    return app

-
-def init_login_manager(app):
-    @app.login_manager.user_loader
-    def user_loader(username):
-        return model.User.query().by_username(username)
-
-    @app.login_manager.request_loader
-    def request_loader(request):
-        pass
-
-    @app.login_manager.unauthorized_handler
-    def unauthorized():
-        return redirect(url_for('auth.login'))
--- a/lenticular_cloud/form/frontend.py
+++ b/lenticular_cloud/form/frontend.py
@ -32,3 +32,7 @@ class TOTPForm(FlaskForm):

 class TOTPDeleteForm(FlaskForm):
    submit = SubmitField(gettext('Delete'))
+
+
+class OidcAuthenticationConfirm(FlaskForm):
+    submit = SubmitField(gettext('Continue'))
--- a/lenticular_cloud/views/init.py
+++ b/lenticular_cloud/views/init.py
@ -1,5 +1,5 @@
 # pylint: disable=unused-import

 from .oidc import oidc_provider_views
-from .auth import auth_views
+from .auth import auth_views, init_login_manager
 from .frontend import frontend_views
--- a/lenticular_cloud/views/auth.py
+++ b/lenticular_cloud/views/auth.py
@ -18,7 +18,8 @@ from flask import Blueprint, render_template, request, url_for
 from flask_login import login_required, login_user, logout_user
 from werkzeug.utils import redirect
 import logging
-
+from urllib.parse import urlparse
+from base64 import b64decode, b64encode

 from ..model import User, SecurityUser
 from ..form.login import LoginForm
@ -29,6 +30,19 @@ from .oidc import do_logout
 auth_views = Blueprint('auth', __name__, url_prefix='')


+def init_login_manager(app):
+    @app.login_manager.user_loader
+    def user_loader(username):
+        return User.query().by_username(username)
+
+    @app.login_manager.request_loader
+    def request_loader(request):
+        pass
+
+    @app.login_manager.unauthorized_handler
+    def unauthorized():
+        return redirect(url_for('auth.login', next=b64encode(request.url.encode())))
+
@auth_views.route('/login', methods=['GET', 'POST'])
 def login():
    form = LoginForm()
@ -36,7 +50,7 @@ def login():
        user = User.query().by_username(form.data['name'])
        session['username'] = str(user.username)
        session['auth_providers'] = []
-        return redirect(url_for('auth.login_auth'))
+        return redirect(url_for('auth.login_auth', next=flask.request.args.get('next')))
    return render_template('frontend/login.html.j2', form=form)


@ -44,7 +58,7 @@ def login():
 def login_auth():
    if 'username' not in session:
        return redirect(url_for('auth.login'))
-    auth_forms = []
+    auth_forms = {}
    user = User.query().by_username(session['username'])
    for auth_provider in AUTH_PROVIDER_LIST:
        form = auth_provider.get_form()
@ -53,14 +67,20 @@ def login_auth():
            session['auth_providers'].append(auth_provider.get_name())

        if auth_provider.get_name() not in session['auth_providers']:
-            auth_forms.append(form)
+            auth_forms[auth_provider.get_name()]=form

    if len(session['auth_providers']) >= 2:
        login_user(SecurityUser(session['username']))
        # TODO use this var
-        _next = request.args.get('next')
-        return redirect(url_for('frontend.index'))
-    print(auth_forms)
+        _next = None
+        try:
+            _next_url = urlparse(b64decode(request.args.get('next')).decode())
+            _host_url = urlparse(request.url)
+            if _next_url.scheme == _host_url.scheme and _next_url.netloc == _host_url.netloc :
+                _next = _next_url.geturl()
+        except Exception as e:
+            raise e
+        return redirect(_next or url_for('frontend.index'))
    return render_template('frontend/login_auth.html.j2', forms=auth_forms)


--- a/lenticular_cloud/views/oidc.py
+++ b/lenticular_cloud/views/oidc.py
@ -1,7 +1,7 @@
 from urllib.parse import urlencode, parse_qs

 import flask
-from flask import Blueprint, redirect
+from flask import Blueprint, redirect, request
 from flask import current_app, session
 from flask import jsonify
 from flask.helpers import make_response
@ -14,6 +14,8 @@ from pyop.exceptions import InvalidAuthenticationRequest, InvalidAccessToken, In
    InvalidSubjectIdentifier, InvalidClientRegistrationRequest
 from pyop.util import should_fragment_encode

+from ..form.frontend import OidcAuthenticationConfirm
+
 oidc_provider_views = Blueprint('oidc_provider', __name__, url_prefix='')


@ -29,10 +31,17 @@ def registration_endpoint():

@oidc_provider_views.route('/authentication', methods=['GET'])
@login_required
+def authentication_endpoint_confirm():
+    form = OidcAuthenticationConfirm()
+    return render_template('frontend/oidc_authentication.html.j2', form=form)
+
+
+@oidc_provider_views.route('/authentication', methods=['POST'])
+@login_required
 def authentication_endpoint():
    # parse authentication request
-    print(flask.request)
-    print(flask.request.headers)
+    print(request)
+    print(request.headers)
    try:
        auth_req = current_app.provider.parse_authentication_request(urlencode(flask.request.args),
                                                                     flask.request.args)
@ -45,7 +54,7 @@ def authentication_endpoint():
            # show error to user
            return make_response('Something went wrong: {}'.format(str(e)), 400)

-    # automagic authentication
+    # automatically authentication
    authn_response = current_app.provider.authorize(auth_req, str(current_user.username))
    response_url = authn_response.request(auth_req['redirect_uri'], should_fragment_encode(auth_req))
    return redirect(response_url, 303)
--- a/templates/frontend/login.html.j2
+++ b/templates/frontend/login.html.j2
@ -4,15 +4,8 @@

 {% block content %}

-<form method="POST" action="/login">
-	{{ form.csrf_token }}
-	<div class="form-group row">
-		<label class="col-sm-2 col-form-label">{{ form.name.label }} </label>
-		<div class="col-sm-10">
-			{{ form.name(size=20) }}
-		</div>
-	</div>
-	{{ form.submit() }}
-</form>
+
+{{ render_form(form) }}
+
 {% endblock %}

--- a/templates/frontend/login_auth.html.j2
+++ b/templates/frontend/login_auth.html.j2
@ -4,9 +4,21 @@

 {% block content %}

-{% for form in forms %}
-	{{ render_form(form) }}
-{% endfor %}
+<ul class="nav nav-tabs" id="myTab" role="tablist">
+  {% for auth_name in forms.keys() %}
+	<li class="nav-item">
+		<a class="nav-link{{' active' if loop.first else ''}}" id="home-tab" data-toggle="tab" href="#{{ auth_name }}" role="tab" aria-controls="home" aria-selected="true">{{ gettext(auth_name) }}</a>
+	</li>
+  {% endfor %}
+</ul>
+<div class="tab-content" id="myTabContent">
+	{% for auth_name, form in forms.items() %}
+	<div class="tab-pane fade{{ ' show active' if loop.first else '' }}" id="{{ auth_name }}" role="tabpanel" aria-labelledby="{{ auth_name }}-tab">
+
+		{{ render_form(form) }}
+	</div>
+	{% endfor %}
+</div>


 {% endblock %}
--- a/templates/frontend/oidc_authentication.html.j2
+++ b/templates/frontend/oidc_authentication.html.j2
@ -0,0 +1,17 @@
+{% extends 'frontend/base.html.j2' %}
+
+{% block title %}{{ gettext('Oauth2 Request') }}{% endblock %}
+
+{% block content %}
+
+<div class="container">
+	<p>
+	A service ask for access to your account data.<br>
+
+	You can confirm this pressing "Continue"
+	</p>
+
+	{{ render_form(form) }}
+</div>
+
+{% endblock %}