forked from jupyterhub/oauthenticator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
generic.py
223 lines (181 loc) · 7.16 KB
/
generic.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
"""
Custom Authenticator to use generic OAuth2 with JupyterHub
"""
import base64
import os
from urllib.parse import urlencode
from jupyterhub.auth import LocalAuthenticator
from tornado.httpclient import AsyncHTTPClient
from tornado.httpclient import HTTPRequest
from tornado.httputil import url_concat
from traitlets import Bool
from traitlets import default
from traitlets import Dict
from traitlets import List
from traitlets import Unicode
from traitlets import Union
from .oauth2 import OAuthenticator
from .traitlets import Callable
class GenericOAuthenticator(OAuthenticator):
login_service = Unicode("OAuth 2.0", config=True)
extra_params = Dict(help="Extra parameters for first POST request").tag(config=True)
claim_groups_key = Union(
[Unicode(os.environ.get('OAUTH2_GROUPS_KEY', 'groups')), Callable()],
config=True,
help="""
Userdata groups claim key from returned json for USERDATA_URL.
Can be a string key name or a callable that accepts the returned
json (as a dict) and returns the groups list. The callable is useful
e.g. for extracting the groups from a nested object in the response.
""",
)
allowed_groups = List(
Unicode(),
config=True,
help="Automatically allow members of selected groups",
)
admin_groups = List(
Unicode(),
config=True,
help="Groups whose members should have Jupyterhub admin privileges",
)
username_key = Union(
[Unicode(os.environ.get('OAUTH2_USERNAME_KEY', 'username')), Callable()],
config=True,
help="""
Userdata username key from returned json for USERDATA_URL.
Can be a string key name or a callable that accepts the returned
json (as a dict) and returns the username. The callable is useful
e.g. for extracting the username from a nested object in the
response.
""",
)
userdata_params = Dict(
help="Userdata params to get user data login information"
).tag(config=True)
userdata_token_method = Unicode(
os.environ.get('OAUTH2_USERDATA_REQUEST_TYPE', 'header'),
config=True,
help="Method for sending access token in userdata request. Supported methods: header, url. Default: header",
)
tls_verify = Bool(
os.environ.get('OAUTH2_TLS_VERIFY', 'True').lower() in {'true', '1'},
config=True,
help="Disable TLS verification on http request",
)
basic_auth = Bool(
os.environ.get('OAUTH2_BASIC_AUTH', 'True').lower() in {'true', '1'},
config=True,
help="Disable basic authentication for access token request",
)
@default("http_client")
def _default_http_client(self):
return AsyncHTTPClient(
force_instance=True, defaults=dict(validate_cert=self.tls_verify)
)
def _get_headers(self):
headers = {"Accept": "application/json", "User-Agent": "JupyterHub"}
if self.basic_auth:
b64key = base64.b64encode(
bytes("{}:{}".format(self.client_id, self.client_secret), "utf8")
)
headers.update({"Authorization": "Basic {}".format(b64key.decode("utf8"))})
return headers
def _get_token(self, headers, params):
if self.token_url:
url = self.token_url
else:
raise ValueError("Please set the $OAUTH2_TOKEN_URL environment variable")
req = HTTPRequest(
url,
method="POST",
headers=headers,
body=urlencode(params),
)
return self.fetch(req, "fetching access token")
def _get_user_data(self, token_response):
access_token = token_response['access_token']
token_type = token_response['token_type']
# Determine who the logged in user is
headers = {
"Accept": "application/json",
"User-Agent": "JupyterHub",
"Authorization": "{} {}".format(token_type, access_token),
}
if self.userdata_url:
url = url_concat(self.userdata_url, self.userdata_params)
else:
raise ValueError("Please set the OAUTH2_USERDATA_URL environment variable")
if self.userdata_token_method == "url":
url = url_concat(self.userdata_url, dict(access_token=access_token))
req = HTTPRequest(url, headers=headers)
return self.fetch(req, "fetching user data")
@staticmethod
def _create_auth_state(token_response, user_data_response):
access_token = token_response['access_token']
refresh_token = token_response.get('refresh_token', None)
scope = token_response.get('scope', '')
if isinstance(scope, str):
scope = scope.split(' ')
return {
'access_token': access_token,
'refresh_token': refresh_token,
'oauth_user': user_data_response,
'scope': scope,
}
@staticmethod
def check_user_in_groups(member_groups, allowed_groups):
return bool(set(member_groups) & set(allowed_groups))
async def authenticate(self, handler, data=None):
code = handler.get_argument("code")
params = dict(
redirect_uri=self.get_callback_url(handler),
code=code,
grant_type='authorization_code',
)
params.update(self.extra_params)
headers = self._get_headers()
token_resp_json = await self._get_token(headers, params)
user_data_resp_json = await self._get_user_data(token_resp_json)
if callable(self.username_key):
name = self.username_key(user_data_resp_json)
else:
name = user_data_resp_json.get(self.username_key)
if not name:
self.log.error(
"OAuth user contains no key %s: %s",
self.username_key,
user_data_resp_json,
)
return
user_info = {
'name': name,
'auth_state': self._create_auth_state(token_resp_json, user_data_resp_json),
}
if self.allowed_groups:
self.log.info(
'Validating if user claim groups match any of {}'.format(
self.allowed_groups
)
)
if callable(self.claim_groups_key):
groups = self.claim_groups_key(user_data_resp_json)
else:
groups = user_data_resp_json.get(self.claim_groups_key)
if not groups:
self.log.error(
"No claim groups found for user! Something wrong with the `claim_groups_key` {}? {}".format(
self.claim_groups_key, user_data_resp_json
)
)
groups = []
if self.check_user_in_groups(groups, self.allowed_groups):
user_info['admin'] = self.check_user_in_groups(
groups, self.admin_groups
)
else:
user_info = None
return user_info
class LocalGenericOAuthenticator(LocalAuthenticator, GenericOAuthenticator):
"""A version that mixes in local system user creation"""
pass