JWT in Keyrock and Keycloak (#29)

Author: SSladarov

.gitignore

@@ -36,3 +36,5 @@ nosetests.xml
 .mr.developer.cfg
 .project
 .pydevproject
+.idea
+venv

bin/travis-build.bash

@@ -57,7 +57,6 @@ sudo -u postgres psql -c "CREATE USER datastore_default WITH PASSWORD 'pass';"
 sudo -u postgres psql -c "CREATE DATABASE ckan_test WITH OWNER ckan_default;"
 sudo -u postgres psql -c "CREATE DATABASE datastore_test WITH OWNER ckan_default;"
 
-
 echo "Initialising the database..."
 cd ckan
 paster db init -c test-core.ini

ckanext/oauth2/oauth2.py

@@ -36,6 +36,8 @@
 from requests_oauthlib import OAuth2Session
 import six
 
+import jwt
+
 import constants
 
 
@@ -61,6 +63,8 @@ def __init__(self):
         if self.verify_https and os.environ.get("REQUESTS_CA_BUNDLE", "").strip() != "":
             self.verify_https = os.environ["REQUESTS_CA_BUNDLE"].strip()
 
+        self.jwt_enable = six.text_type(os.environ.get('CKAN_OAUTH2_JWT_ENABLE', toolkit.config.get('ckan.oauth2.jwt.enable',''))).strip().lower() in ("true", "1", "on")
+
         self.legacy_idm = six.text_type(os.environ.get('CKAN_OAUTH2_LEGACY_IDM', toolkit.config.get('ckan.oauth2.legacy_idm', ''))).strip().lower() in ("true", "1", "on")
         self.authorization_endpoint = six.text_type(os.environ.get('CKAN_OAUTH2_AUTHORIZATION_ENDPOINT', toolkit.config.get('ckan.oauth2.authorization_endpoint', ''))).strip()
         self.token_endpoint = six.text_type(os.environ.get('CKAN_OAUTH2_TOKEN_ENDPOINT', toolkit.config.get('ckan.oauth2.token_endpoint', ''))).strip()
@@ -126,61 +130,74 @@ def get_token(self):
         return token
 
     def identify(self, token):
-        try:
-            if self.legacy_idm:
-                profile_response = requests.get(self.profile_api_url + '?access_token=%s' % token['access_token'], verify=self.verify_https)
-            else:
-                oauth = OAuth2Session(self.client_id, token=token)
-                profile_response = oauth.get(self.profile_api_url, verify=self.verify_https)
 
-        except requests.exceptions.SSLError as e:
-            # TODO search a better way to detect invalid certificates
-            if "verify failed" in six.text_type(e):
-                raise InsecureTransportError()
-            else:
-                raise
+        if self.jwt_enable:
 
-        # Token can be invalid
-        if not profile_response.ok:
-            error = profile_response.json()
-            if error.get('error', '') == 'invalid_token':
-                raise ValueError(error.get('error_description'))
-            else:
-                profile_response.raise_for_status()
+            access_token = bytes(token['access_token'])
+            user_data = jwt.decode(access_token, verify=False)
+            user = self.user_json(user_data)
         else:
-            user_data = profile_response.json()
-            email = user_data[self.profile_api_mail_field]
-            user_name = user_data[self.profile_api_user_field]
 
-            # In CKAN can exists more than one user associated with the same email
-            # Some providers, like Google and FIWARE only allows one account per email
-            user = None
-            users = model.User.by_email(email)
-            if len(users) == 1:
-                user = users[0]
+            try:
+                if self.legacy_idm:
+                    profile_response = requests.get(self.profile_api_url + '?access_token=%s' % token['access_token'], verify=self.verify_https)
+                else:
+                    oauth = OAuth2Session(self.client_id, token=token)
+                    profile_response = oauth.get(self.profile_api_url, verify=self.verify_https)
+
+            except requests.exceptions.SSLError as e:
+                # TODO search a better way to detect invalid certificates
+                if "verify failed" in six.text_type(e):
+                    raise InsecureTransportError()
+                else:
+                    raise
+
+            # Token can be invalid
+            if not profile_response.ok:
+                error = profile_response.json()
+                if error.get('error', '') == 'invalid_token':
+                    raise ValueError(error.get('error_description'))
+                else:
+                    profile_response.raise_for_status()
+            else:
+                user_data = profile_response.json()
+                user = self.user_json(user_data)
 
-            # If the user does not exist, we have to create it...
-            if user is None:
-                user = model.User(email=email)
+        # Save the user in the database
+        model.Session.add(user)
+        model.Session.commit()
+        model.Session.remove()
+
+        return user.name
+
+    def user_json(self, user_data):
+        email = user_data[self.profile_api_mail_field]
+        user_name = user_data[self.profile_api_user_field]
+
+        # In CKAN can exists more than one user associated with the same email
+        # Some providers, like Google and FIWARE only allows one account per email
+        user = None
+        users = model.User.by_email(email)
+        if len(users) == 1:
+            user = users[0]
 
-            # Now we update his/her user_name with the one provided by the OAuth2 service
-            # In the future, users will be obtained based on this field
-            user.name = user_name
+        # If the user does not exist, we have to create it...
+        if user is None:
+            user = model.User(email=email)
 
-            # Update fullname
-            if self.profile_api_fullname_field != "" and self.profile_api_fullname_field in user_data:
-                user.fullname = user_data[self.profile_api_fullname_field]
+        # Now we update his/her user_name with the one provided by the OAuth2 service
+        # In the future, users will be obtained based on this field
+        user.name = user_name
 
-            # Update sysadmin status
-            if self.profile_api_groupmembership_field != "" and self.profile_api_groupmembership_field in user_data:
-                user.sysadmin = self.sysadmin_group_name in user_data[self.profile_api_groupmembership_field]
+        # Update fullname
+        if self.profile_api_fullname_field != "" and self.profile_api_fullname_field in user_data:
+            user.fullname = user_data[self.profile_api_fullname_field]
 
-            # Save the user in the database
-            model.Session.add(user)
-            model.Session.commit()
-            model.Session.remove()
+        # Update sysadmin status
+        if self.profile_api_groupmembership_field != "" and self.profile_api_groupmembership_field in user_data:
+            user.sysadmin = self.sysadmin_group_name in user_data[self.profile_api_groupmembership_field]
 
-            return user.name
+        return user
 
     def _get_rememberer(self, environ):
         plugins = environ.get('repoze.who.plugins', {})
@@ -218,6 +235,7 @@ def get_stored_token(self, user_name):
             }
 
     def update_token(self, user_name, token):
+
         user_token = db.UserToken.by_user_name(user_name=user_name)
         # Create the user if it does not exist
         if not user_token:
@@ -227,7 +245,12 @@ def update_token(self, user_name, token):
         user_token.access_token = token['access_token']
         user_token.token_type = token['token_type']
         user_token.refresh_token = token.get('refresh_token')
-        user_token.expires_in = token['expires_in']
+        if 'expires_in' in token:
+            user_token.expires_in = token['expires_in']
+        else:
+            access_token = jwt.decode(user_token.access_token, verify=False)
+            user_token.expires_in = access_token['exp'] - access_token['iat']
+
         model.Session.add(user_token)
         model.Session.commit()
 

ckanext/oauth2/tests/test_oauth2.py

@@ -34,7 +34,6 @@
 from oauthlib.oauth2 import InsecureTransportError, MissingCodeError, MissingTokenError
 from requests.exceptions import SSLError
 
-
 OAUTH2TOKEN = {
     'access_token': 'token',
     'token_type': 'Bearer',
@@ -87,8 +86,9 @@ def tearDown(self):
         oauth2.db = self._db
         oauth2.OAuth2Session = self._OAuth2Session
 
-    def _helper(self, fullname_field=True, mail_field=True, conf=None, missing_conf=None):
+    def _helper(self, fullname_field=True, mail_field=True, conf=None, missing_conf=None, jwt_enable=False):
         oauth2.db = MagicMock()
+        oauth2.jwt = MagicMock()
 
         oauth2.toolkit.config = {
             'ckan.oauth2.legacy_idm': 'false',
@@ -110,6 +110,9 @@ def _helper(self, fullname_field=True, mail_field=True, conf=None, missing_conf=
         if fullname_field:
             helper.profile_api_fullname_field = self._fullname_field
 
+        if jwt_enable:
+            helper.jwt_enable = True
+
         return helper
 
     @parameterized.expand([
@@ -341,7 +344,6 @@ def test_identify(self, username, fullname=None, email=None, user_exists=True,
         print(username, fullname, email, user_exists, fullname_field, sysadmin)
 
         # Create the mocks
-        request = MagicMock()
         request = make_request(False, 'localhost', '/oauth2/callback', {})
         oauth2.toolkit.request = request
         oauth2.model.Session = MagicMock()
@@ -383,6 +385,29 @@ def test_identify(self, username, fullname=None, email=None, user_exists=True,
         oauth2.model.Session.commit.assert_called_once()
         oauth2.model.Session.remove.assert_called_once()
 
+    def test_identify_jwt(self):
+
+        helper = self._helper(jwt_enable=True)
+        token = OAUTH2TOKEN
+        user_data ={self._user_field: 'test_user', self._email_field: '[email protected]'}
+
+        oauth2.jwt.decode.return_value = user_data
+
+        oauth2.model.Session = MagicMock()
+        user = MagicMock()
+        user.name = None
+        user.email = None
+        oauth2.model.User = MagicMock(return_value=user)
+        oauth2.model.User.by_email = MagicMock(return_value=[user])
+
+        returned_username = helper.identify(token)
+
+        self.assertEquals(user_data[self._user_field], returned_username)
+
+        oauth2.model.Session.add.assert_called_once_with(user)
+        oauth2.model.Session.commit.assert_called_once()
+        oauth2.model.Session.remove.assert_called_once()
+
     @parameterized.expand([
         ({'error': 'invalid_token', 'error_description': 'Error Description'},),
         ({'error': 'another_error'},)
@@ -472,10 +497,12 @@ def test_redirect_from_callback(self, identity):
         self.assertEquals(came_from, oauth2.toolkit.response.location)
 
     @parameterized.expand([
-        (True,),
-        (False,)
+        (True, True),
+        (True, False),
+        (False, False),
+        (False, True),
     ])
-    def test_update_token(self, user_exists):
+    def test_update_token(self, user_exists, jwt_expires_in):
         helper = self._helper()
         user = 'user'
 
@@ -494,26 +521,48 @@ def test_update_token(self, user_exists):
         oauth2.db.UserToken.by_user_name = MagicMock(return_value=usertoken)
 
         # The token to be updated
-        newtoken = {
-            'access_token': 'new_access_token',
-            'token_type': 'new_token_type',
-            'expires_in': 'new_expires_in',
-            'refresh_token': 'new_refresh_token'
-        }
-
-        helper.update_token('user', newtoken)
-
-        # Check that the object has been stored
-        oauth2.model.Session.add.assert_called_once()
-        oauth2.model.Session.commit.assert_called_once()
+        if jwt_expires_in:
+            newtoken = {
+                'access_token': 'new_access_token',
+                'token_type': 'new_token_type',
+                'expires_in': 'new_expires_in',
+                'refresh_token': 'new_refresh_token'
+            }
+            helper.update_token('user', newtoken)
+
+            # Check that the object has been stored
+            oauth2.model.Session.add.assert_called_once()
+            oauth2.model.Session.commit.assert_called_once()
+
+            # Check that the object contains the correct information
+            tk = oauth2.model.Session.add.call_args_list[0][0][0]
+            self.assertEquals(user, tk.user_name)
+            self.assertEquals(newtoken['access_token'], tk.access_token)
+            self.assertEquals(newtoken['token_type'], tk.token_type)
+            self.assertEquals(newtoken['expires_in'], tk.expires_in)
+            self.assertEquals(newtoken['refresh_token'], tk.refresh_token)
+        else:
+            newtoken = {
+                'access_token': 'new_access_token',
+                'token_type': 'new_token_type',
+                'refresh_token': 'new_refresh_token'
+            }
+            expires_in_data = {'exp': 3600, 'iat': 0}
+            oauth2.jwt.decode.return_value = expires_in_data
+            helper.update_token('user', newtoken)
+
+            # Check that the object has been stored
+            oauth2.model.Session.add.assert_called_once()
+            oauth2.model.Session.commit.assert_called_once()
+
+            # Check that the object contains the correct information
+            tk = oauth2.model.Session.add.call_args_list[0][0][0]
+            self.assertEquals(user, tk.user_name)
+            self.assertEquals(newtoken['access_token'], tk.access_token)
+            self.assertEquals(newtoken['token_type'], tk.token_type)
+            self.assertEquals(3600, tk.expires_in)
+            self.assertEquals(newtoken['refresh_token'], tk.refresh_token)
 
-        # Check that the object contains the correct information
-        tk = oauth2.model.Session.add.call_args_list[0][0][0]
-        self.assertEquals(user, tk.user_name)
-        self.assertEquals(newtoken['access_token'], tk.access_token)
-        self.assertEquals(newtoken['token_type'], tk.token_type)
-        self.assertEquals(newtoken['expires_in'], tk.expires_in)
-        self.assertEquals(newtoken['refresh_token'], tk.refresh_token)
 
     @parameterized.expand([
         (True,),