#!/usr/bin/env python
# Copyright (c) 2011 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""Provides authentcation related utilities and endpoint handlers.
All authentication code for the webapp should go through this module. In
general, credentials should be used server-side. The URL endpoints are for
initiating authentication flows, and for managing credential storage per user.
"""
import os
import gdata.gauth
import gdata.client
from google.appengine.ext import db
from google.appengine.api import users
from google.appengine.ext import webapp
from google.appengine.ext.webapp import template
from google.appengine.ext.webapp import util
from google.appengine.ext.webapp.util import login_required
SCOPES = ['https://www.googleapis.com/auth/chromoting',
'https://www.googleapis.com/auth/googletalk' ]
class NotAuthenticated(Exception):
"""API requiring authentication is called with credentials."""
pass
class OAuthInvalidSetup(Exception):
"""OAuth configuration on app is not complete."""
pass
class OAuthConfig(db.Model):
"""Stores the configuration data for OAuth.
Currently used to store the consumer key and secret so that it does not need
to be checked into the source tree.
"""
consumer_key = db.StringProperty()
consumer_secret = db.StringProperty()
httpxmppproxy = db.StringProperty()
def GetChromotingToken(throws=True):
"""Retrieves the Chromoting OAuth token for the user.
Args:
throws: bool (optional) Default is True. Throws if no token.
Returns:
An gdata.gauth.OAuthHmacToken for the current user.
"""
user = users.get_current_user()
access_token = None
if user:
access_token = LoadToken('chromoting_token')
if throws and not access_token:
raise NotAuthenticated()
return access_token
def GetXmppToken(throws=True):
"""Retrieves the XMPP for Chromoting.
Args:
throws: bool (optional) Default is True. Throws if no token.
Returns:
An gdata.gauth.ClientLoginToken for the current user.
"""
user = users.get_current_user()
access_token = None
if user:
access_token = LoadToken('xmpp_token')
if throws and not access_token:
raise NotAuthenticated()
return access_token
def ClearChromotingToken():
"""Clears all Chromoting OAuth token state from the datastore."""
DeleteToken('request_token')
DeleteToken('chromoting_token')
def ClearXmppToken():
"""Clears all Chromoting ClientLogin token state from the datastore."""
DeleteToken('xmpp_token')
def GetUserId():
"""Retrieves the user id for the current user.
Returns:
A string with the user id of the logged in user.
Raises:
NotAuthenticated if the user is not logged in, or missing an id.
"""
user = users.get_current_user()
if not user:
raise NotAuthenticated()
if not user.user_id():
raise NotAuthenticated('no e-mail with google account!')
return user.user_id()
def LoadToken(name):
"""Leads a gdata auth token for the current user.
Tokens are scoped to each user, and retrieved by a name.
Args:
name: A string with the name of the token for the current user.
Returns:
The token associated with the name for the user.
"""
user_id = GetUserId();
return gdata.gauth.AeLoad(user_id + name)
def SaveToken(name, token):
"""Saves a gdata auth token for the current user.
Tokens are scoped to each user, and stored by a name.
Args:
name: A string with the name of the token.
"""
user_id = GetUserId();
gdata.gauth.AeSave(token, user_id + name)
def DeleteToken(name):
"""Deletes a stored gdata auth token for the current user.
Tokens are scoped to each user, and stored by a name.
Args:
name: A string with the name of the token.
"""
user_id = GetUserId();
gdata.gauth.AeDelete(user_id + name)
def OAuthConfigKey():
"""Generates a standard key path for this app's OAuth configuration."""
return db.Key.from_path('OAuthConfig', 'oauth_config')
def GetOAuthConfig(throws=True):
"""Retrieves the OAuthConfig for this app.
Returns:
The OAuthConfig object for this app.
Raises:
OAuthInvalidSetup if no OAuthConfig exists.
"""
config = db.get(OAuthConfigKey())
if throws and not config:
raise OAuthInvalidSetup()
return config
class ChromotingAuthHandler(webapp.RequestHandler):
"""Initiates getting the OAuth access token for the user.
This webapp uses 3-legged OAuth. This handlers performs the first step
of getting the OAuth request token, and then forwarding on to the
Google Accounts authorization endpoint for the second step. The final
step is completed by the ChromotingAuthReturnHandler below.
FYI, all three steps are collectively known as the "OAuth dance."
"""
@login_required
def get(self):
ClearChromotingToken()
client = gdata.client.GDClient()
oauth_callback_url = ('http://%s/auth/chromoting_auth_return' %
self.request.host)
request_token = client.GetOAuthToken(
SCOPES, oauth_callback_url, GetOAuthConfig().consumer_key,
consumer_secret=GetOAuthConfig().consumer_secret)
SaveToken('request_token', request_token)
domain = None # Not on an Google Apps domain.
auth_uri = request_token.generate_authorization_url()
self.redirect(str(auth_uri))
class ChromotingAuthReturnHandler(webapp.RequestHandler):
"""Finishes the authorization started in ChromotingAuthHandler.i
After the user authorizes the OAuth request token at the OAuth request
URL they were redirected to in ChromotingAuthHandler, OAuth will send
them back here with an auth token in the URL.
This handler retrievies the access token, and stores it completing the
OAuth dance.
"""
@login_required
def get(self):
saved_request_token = LoadToken('request_token')
DeleteToken('request_token')
request_token = gdata.gauth.AuthorizeRequestToken(
saved_request_token, self.request.uri)
# Upgrade the token and save in the user's datastore
client = gdata.client.GDClient()
access_token = client.GetAccessToken(request_token)
SaveToken('chromoting_token', access_token)
self.redirect("/")
class XmppAuthHandler(webapp.RequestHandler):
"""Prompts Google Accounts credentials and retrieves a ClientLogin token.
This class takes the user's plaintext username and password, and then
posts a request to ClientLogin to get the access token.
THIS CLASS SHOULD NOT EXIST.
We should NOT be taking a user's Google Accounts credentials in our webapp.
However, we need a ClientLogin token for jingle, and this is currently the
only known workaround.
"""
@login_required
def get(self):
ClearXmppToken()
path = os.path.join(os.path.dirname(__file__), 'client_login.html')
self.response.out.write(template.render(path, {}))
def post(self):
client = gdata.client.GDClient()
email = self.request.get('username')
password = self.request.get('password')
try:
client.ClientLogin(
email, password, 'chromoclient', 'chromiumsync')
SaveToken('xmpp_token', client.auth_token)
except gdata.client.CaptchaChallenge:
self.response.out.write('You need to solve a Captcha. '
'Unforutnately, we still have to implement that.')
self.redirect('/')
class ClearChromotingTokenHandler(webapp.RequestHandler):
"""Endpoint for dropping the user's Chromoting token."""
@login_required
def get(self):
ClearChromotingToken()
self.redirect('/')
class ClearXmppTokenHandler(webapp.RequestHandler):
"""Endpoint for dropping the user's Xmpp token."""
@login_required
def get(self):
ClearXmppToken()
self.redirect('/')
class SetupOAuthHandler(webapp.RequestHandler):
"""Administrative page for specifying the OAuth consumer key/secret."""
@login_required
def get(self):
path = os.path.join(os.path.dirname(__file__),
'chromoting_oauth_setup.html')
self.response.out.write(template.render(path, {}))
def post(self):
old_consumer_secret = self.request.get('old_consumer_secret')
query = OAuthConfig.all()
# If there is an existing key, only allow updating if you know the old
# key. This is a simple safeguard against random users hitting this page.
config = GetOAuthConfig(throws=False)
httpxmppproxy = self.request.get('httpxmppproxy')
# TODO(ajwong): THIS IS A TOTAL HACK! FIX WITH OWN PAGE.
# Currently, this form has one submit button, and 3 pieces of input:
# consumer_key, oauth_secret, and the httpxmppproxy address. The first
# two only get committed if the secret + key match. The third always
# get committed via this hack. Really, it should just be a separate
# field/page to set this up.
if httpxmppproxy:
config.httpxmppproxy = httpxmppproxy
config.put()
config.consumer_key = self.request.get('consumer_key')
if config:
if config.consumer_secret != old_consumer_secret:
self.response.set_status(400)
self.response.out.write('Incorrect old consumer secret')
return
else:
config = OAuthConfig(key_name = OAuthConfigKey().id_or_name())
config.consumer_key = self.request.get('consumer_key')
config.consumer_secret = self.request.get('new_consumer_secret')
config.put()
self.redirect('/')
def GetHttpXmppProxy():
config = GetOAuthConfig(throws=True)
if not config.httpxmppproxy:
raise OAuthInvalidSetup()
return config.httpxmppproxy
def main():
application = webapp.WSGIApplication(
[
('/auth/chromoting_auth', ChromotingAuthHandler),
('/auth/xmpp_auth', XmppAuthHandler),
('/auth/chromoting_auth_return', ChromotingAuthReturnHandler),
('/auth/clear_xmpp_token', ClearXmppTokenHandler),
('/auth/clear_chromoting_token', ClearChromotingTokenHandler),
('/auth/setup_oauth', SetupOAuthHandler)
],
debug=True)
util.run_wsgi_app(application)
if __name__ == '__main__':
main()