From e4b4f8bb54359286e0acb89d67d047f52615be93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=81lvaro=20Arranz?= <aarranz@ficodes.com>
Date: Mon, 16 Apr 2018 13:07:59 +0200
Subject: [PATCH] Fix authentication when retrieving user profiles on normal
 oauth2 services while maintaining support with KeyRock 5 & 6. See #12

---
 ckanext/oauth2/oauth2.py            |  8 +++++++-
 ckanext/oauth2/tests/test_oauth2.py | 16 +++++++++++++++-
 test-fiware.ini                     |  1 +
 test.ini                            |  1 +
 4 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/ckanext/oauth2/oauth2.py b/ckanext/oauth2/oauth2.py
index f2db1b0..dab3de6 100644
--- a/ckanext/oauth2/oauth2.py
+++ b/ckanext/oauth2/oauth2.py
@@ -55,6 +55,7 @@ def __init__(self):
 
         self.verify_https = os.environ.get('OAUTHLIB_INSECURE_TRANSPORT', '') == ""
 
+        self.legacy_idm = six.text_type(config.get('ckan.oauth2.legacy_idm', '')).strip().lower() == "false"
         self.authorization_endpoint = config.get('ckan.oauth2.authorization_endpoint', None)
         self.token_endpoint = config.get('ckan.oauth2.token_endpoint', None)
         self.profile_api_url = config.get('ckan.oauth2.profile_api_url', None)
@@ -114,7 +115,12 @@ def get_token(self):
 
     def identify(self, token):
         try:
-            profile_response = requests.get(self.profile_api_url + '?access_token=%s' % token['access_token'], verify=self.verify_https)
+            if self.legacy_idm:
+                profile_response = requests.get(self.profile_api_url + '?access_token=%s' % token['access_token'], verify=self.verify_https)
+            else:
+                oauth = OAuth2Session(self.client_id, token=token)
+                profile_response = oauth.get(self.profile_api_url, verify=self.verify_https)
+
         except requests.exceptions.SSLError as e:
             # TODO search a better way to detect invalid certificates
             if "verify failed" in six.text_type(e):
diff --git a/ckanext/oauth2/tests/test_oauth2.py b/ckanext/oauth2/tests/test_oauth2.py
index 8c79fe5..b4f4df4 100644
--- a/ckanext/oauth2/tests/test_oauth2.py
+++ b/ckanext/oauth2/tests/test_oauth2.py
@@ -83,10 +83,11 @@ def tearDown(self):
         oauth2.db = self._db
         oauth2.OAuth2Session = self._OAuth2Session
 
-    def _helper(self, fullname_field=True, mail_field=True):
+    def _helper(self, fullname_field=True, mail_field=True, conf=None):
         oauth2.db = MagicMock()
 
         oauth2.config = {
+            'ckan.oauth2.legacy_idm': 'false',
             'ckan.oauth2.authorization_endpoint': 'https://test/oauth2/authorize/',
             'ckan.oauth2.token_endpoint': 'https://test/oauth2/token/',
             'ckan.oauth2.client_id': 'client-id',
@@ -95,6 +96,8 @@ def _helper(self, fullname_field=True, mail_field=True):
             'ckan.oauth2.profile_api_user_field': self._user_field,
             'ckan.oauth2.profile_api_mail_field': self._email_field,
         }
+        if conf is not None:
+            oauth2.config.update(conf)
 
         helper = OAuth2Helper()
 
@@ -345,6 +348,17 @@ def test_identify_invalid_cert(self):
         helper = self._helper()
         token = {'access_token': 'OAUTH_TOKEN'}
 
+        with self.assertRaises(InsecureTransportError):
+            with patch('ckanext.oauth2.oauth2.OAuth2Session') as oauth2_session_mock:
+                oauth2_session_mock().fetch_token.side_effect = SSLError('(Caused by SSLError(SSLError("bad handshake: Error([(\'SSL routines\', \'tls_process_server_certificate\', \'certificate verify failed\')],)",),)')
+                helper.identify(token)
+
+    @patch.dict(os.environ, {'OAUTHLIB_INSECURE_TRANSPORT': ''})
+    def test_identify_invalid_cert_legacy(self):
+
+        helper = self._helper(conf={"ckan.oauth2.legacy_idm": "True"})
+        token = {'access_token': 'OAUTH_TOKEN'}
+
         with self.assertRaises(InsecureTransportError):
             with patch('ckanext.oauth2.oauth2.requests.get') as requests_get_mock:
                 requests_get_mock.side_effect = SSLError('(Caused by SSLError(SSLError("bad handshake: Error([(\'SSL routines\', \'tls_process_server_certificate\', \'certificate verify failed\')],)",),)')
diff --git a/test-fiware.ini b/test-fiware.ini
index 71ec7eb..3507fbc 100644
--- a/test-fiware.ini
+++ b/test-fiware.ini
@@ -47,6 +47,7 @@ ckan.oauth2.profile_api_user_field = id
 ckan.oauth2.profile_api_fullname_field = displayName
 ckan.oauth2.profile_api_mail_field = email
 ckan.oauth2.authorization_header = X-Auth-Token
+ckan.oauth2.legacy_idm = True
 
 
 #who.config_file = %(here)s/who-fiware.ini
diff --git a/test.ini b/test.ini
index 1ed7abd..152d8bb 100644
--- a/test.ini
+++ b/test.ini
@@ -47,6 +47,7 @@ ckan.oauth2.profile_api_user_field = id
 ckan.oauth2.profile_api_fullname_field = displayName
 ckan.oauth2.profile_api_mail_field = email
 ckan.oauth2.authorization_header = X-Auth-Token
+ckan.oauth2.legacy_idm = True
 
 
 #who.config_file = %(here)s/who-fiware.ini