-
Notifications
You must be signed in to change notification settings - Fork 1
/
device_client.py
258 lines (221 loc) · 8.18 KB
/
device_client.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
"""device_client.py"""
# fmt:off
import io
import logging
import time
from itertools import zip_longest
from pathlib import Path
from typing import Any, Dict, List, Optional
import qrcode # type: ignore[import]
import requests
from .openid_client import OpenIDRestClient
from ..utils.auth import OpenIDAuth
from ..utils.pkce import PKCEMixin
def _print_qrcode(req: Dict[str, str]) -> None:
if 'verification_uri_complete' not in req:
req['verification_uri_complete'] = req['verification_uri']+'?user_code='+req['user_code']
qr = qrcode.QRCode(border=2)
qr.add_data(req['verification_uri_complete'])
f = io.StringIO()
qr.print_ascii(out=f)
f.seek(0)
code = f.read().rstrip().split('\n')
code_width = max(len(c) for c in code)
text_width = max(len(req['verification_uri']), 30)
box_width = 2 + text_width + code_width
qrtext = f'''
To complete authorization,
scan the QR code or, using
a browser on another device,
visit:
{req["verification_uri"]}
And enter the code:
{req["user_code"]}
'''.split('\n')
if box_width < 78:
print('+', '-' * box_width, '+', sep='')
for text,qrdata in zip_longest(qrtext, code, fillvalue=''):
print('| ', f'{text:<{text_width}}', f'{qrdata:{code_width}}', '|', sep='')
print('+', '-' * box_width, '+', sep='')
else:
box_width = max(text_width+4, code_width)
print('+', '-' * box_width, '+', sep='')
for text in qrtext:
print('| ', f'{text:<{box_width-4}}', ' |', sep='')
for qrdata in code:
print('|', f'{qrdata:<{box_width}}', '|', sep='')
print('+', '-' * box_width, '+', sep='')
# fmt:on
class CommonDeviceGrant(PKCEMixin):
def perform_device_grant(
self,
logger: logging.Logger,
device_url: str,
token_url: str,
client_id: str,
client_secret: Optional[str] = None,
scopes: Optional[List[str]] = None,
) -> str:
args = {
'client_id': client_id,
'scope': 'offline_access ' + (' '.join(scopes) if scopes else ''),
}
if client_secret:
args['client_secret'] = client_secret
else:
code_challenge = self.create_pkce_challenge()
args['code_challenge'] = code_challenge
args['code_challenge_method'] = 'S256'
try:
r = requests.post(device_url, data=args)
r.raise_for_status()
req = r.json()
except requests.exceptions.HTTPError as exc:
logger.debug('%r', exc.response.text)
try:
req = exc.response.json()
except Exception:
req = {}
error = req.get('error', '')
raise RuntimeError(f'Device authorization failed: {error}') from exc
except Exception as exc:
raise RuntimeError('Device authorization failed') from exc
logger.debug('Device auth in progress')
_print_qrcode(req)
args = {
'grant_type': 'urn:ietf:params:oauth:grant-type:device_code',
'device_code': req['device_code'],
'client_id': client_id,
}
if client_secret:
args['client_secret'] = client_secret
else:
args['code_verifier'] = self.get_pkce_verifier(code_challenge)
sleep_time = int(req.get('interval', 5))
while True:
time.sleep(sleep_time)
try:
r = requests.post(token_url, data=args)
r.raise_for_status()
req = r.json()
except requests.exceptions.HTTPError as exc:
logger.debug('%r', exc.response.text)
try:
req = exc.response.json()
except Exception:
req = {}
error = req.get('error', '')
if error == 'authorization_pending':
continue
elif error == 'slow_down':
sleep_time += 5
continue
raise RuntimeError(f'Device authorization failed: {error}') from exc
except Exception as exc:
raise RuntimeError('Device authorization failed') from exc
break
return req['refresh_token']
def DeviceGrantAuth(
address: str,
token_url: str,
client_id: str,
client_secret: Optional[str] = None,
scopes: Optional[List[str]] = None,
**kwargs: Any,
) -> OpenIDRestClient:
"""A REST client that can handle OpenID and the OAuth2 Device Client flow.
Args:
address (str): base address of REST API
token_url (str): base address of token service
client_id (str): client id
client_secret (str): client secret (optional - required for confidential clients)
scopes (list): token scope list (optional)
timeout (int): request timeout (optional)
retries (int): number of retries to attempt (optional)
"""
logger = kwargs.pop('logger', logging.getLogger('DeviceGrantAuth'))
auth = OpenIDAuth(token_url)
if 'device_authorization_endpoint' not in auth.provider_info:
raise RuntimeError('Device grant not supported by server')
endpoint: str = auth.provider_info['device_authorization_endpoint'] # type: ignore
device = CommonDeviceGrant()
refresh_token = device.perform_device_grant(
logger, endpoint, auth.token_url, client_id, client_secret, scopes
)
return OpenIDRestClient(
address=address,
token_url=token_url,
client_id=client_id,
client_secret=client_secret,
refresh_token=refresh_token,
logger=logger,
**kwargs,
)
def _load_token_from_file(filepath: Path) -> Optional[str]:
if filepath.exists():
return filepath.read_text()
return None
def _save_token_to_file(filepath: Path, token: str) -> None:
filepath.write_text(token)
def SavedDeviceGrantAuth(
address: str,
token_url: str,
filename: str,
client_id: str,
client_secret: Optional[str] = None,
scopes: Optional[List[str]] = None,
**kwargs: Any,
) -> OpenIDRestClient:
"""
A REST client that can handle OpenID and the OAuth2 Device Client flow,
and saves a refresh token to a file for quick access.
Args:
address (str): base address of REST API
token_url (str): base address of token service
filename (str): name of file to save/load refresh token
client_id (str): client id
client_secret (str): client secret (optional - required for confidential clients)
scopes (list): token scope list (optional)
timeout (int): request timeout (optional)
retries (int): number of retries to attempt (optional)
"""
logger = kwargs.pop('logger', logging.getLogger('SavedDeviceGrantAuth'))
filepath = Path(filename)
def update_func(access, refresh):
_save_token_to_file(filepath, refresh)
refresh_token = _load_token_from_file(filepath)
if refresh_token:
try:
# this will try to refresh, and raise if it fails
return OpenIDRestClient(
address=address,
token_url=token_url,
client_id=client_id,
client_secret=client_secret,
refresh_token=refresh_token,
update_func=update_func,
logger=logger,
**kwargs,
)
except Exception:
pass
auth = OpenIDAuth(token_url)
if not auth.provider_info:
raise RuntimeError('Token service does not support .well-known discovery')
if 'device_authorization_endpoint' not in auth.provider_info:
raise RuntimeError('Device grant not supported by server')
endpoint: str = auth.provider_info['device_authorization_endpoint'] # type: ignore
device = CommonDeviceGrant()
refresh_token = device.perform_device_grant(
logger, endpoint, auth.token_url, client_id, client_secret, scopes
)
return OpenIDRestClient(
address=address,
token_url=token_url,
client_id=client_id,
client_secret=client_secret,
refresh_token=refresh_token,
update_func=update_func,
logger=logger,
**kwargs,
)