U
    TFdQ#                     @   s6   d dl mZ d dlT ddlmZ G dd dejZdS )    )fields)*   )cmf_auth_openid_pluginc                       s   e Zd Zejjd ZdZedd Zdd Z	 fddZ
 fd	d
ZedddZeedddZedddZdd Zedd Zdd Z  ZS )CmfAuthOpenIdPlugin)loggerNc                 C   sB   | j s<ddlm} tj}tjr$tj}|j|  dd|d| _ | j S )Nr   )
log_config
   i@KL )ZbackupCountZmaxByteslevel)	_CmfAuthOpenIdPlugin__loggerZcmf.modules.logsr   ZloggingINFOconfigDEBUGZ
get_loggerZget_files_dir)selfr   r
    r   ../modules/sso/models/cmf_auth_openid_plugin.pyr      s    zCmfAuthOpenIdPlugin.loggerc                 C   s0   | j js| jjjsd S tjdtj	dd| _ d S )Nzhttps://Zssozopenid-connect)
callback_urlis_nullpluginext_url
is_changedospathjoinr   Z
ORG_DOMAINr   r   r   r   _check_callback_url   s    z'CmfAuthOpenIdPlugin._check_callback_urlc                    s   t   ddg S )Nr   zplugin.ext_url)supersave_preload_fieldsr   	__class__r   r   r      s    z'CmfAuthOpenIdPlugin.save_preload_fieldsc                    s,   |    | jjrtjdd| _t j||S )Nr   )type)r   r   r   modelsZ	CmfPluginr   save)r   argskwargsr   r   r   r"      s    zCmfAuthOpenIdPlugin.savecodec                 C   s   dd l }| ddg | jdkr:| jj|dg| jjd}n|jtj	
| jjjd| jjjd }t|d	}| jjj|d
< | jj|d< | jjj|d< d|d< ddi}|j|d ||| jjjd}|  | }d|krd| | jd|  |S )Nr   app_typeplugin.*keycloakZauthorization_code)r&   
grant_typeredirect_uri .well-known/openid-configurationverifyr%   	client_idr+   client_secretr*   content-type!application/x-www-form-urlencodedtoken_endpointdataheadersr.   erroru>   Сервер авторизации вернул ошибку u   Получили токен )requestsload_fieldsr'   client_keycloaktokenr   valuegetr   r   r   r   r   
verify_ssljsondictext_client_id
ext_secretpostraise_for_statusr   info)r   r&   r8   r;   openid_confparamsr6   resr   r   r   	get_token$   s,    



zCmfAuthOpenIdPlugin.get_token)access_tokenc                 C   s6   dd l }dd l}|| dd d }||}|S )Nr   .   ==)base64r?   Z	b64decodesplitloads)rJ   rN   r?   Zdecoded_tokenZ
token_infor   r   r   unpack_tokenA   s
    
z CmfAuthOpenIdPlugin.unpack_token)jwtc           	   	   C   s  |  |d }| jd|  || jj}dddddg}tjj||d}|sv|drvtjjd	d
|d  g|d}|s| jrd}t	
||r|}n| d| j }tj|||d|d|d|dd}tj g|_ntd||_|jr|  tj|| d}|j  |j  |j|_|d|_|j|_|d |_|d |_|d |_|d |_t j!r|t j!d |_"|  |S )NrJ   u.   Создаем сессию по access_token 	ext_loginname
first_name	last_nameemail)rS   r   loginrM   )filterr   z0^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$@Z
given_nameZfamily_name)rS   rX   rW   rT   rU   rV   u1   Пользователя нет в системе)rR   r   refresh_tokenrefresh_expires_inscope
expires_inr   )#rQ   r   rE   r=   Zusername_claimr<   r!   Z	CmfPersonZcreate_new_userrematchdomainZCmfPersonGroupZ
user_groupZrg_member_of	ExceptionrS   r   r"   Z
CmfSessionZ	auth_dateset_nowreauth_daterX   Z
user_loginZ
user_emailidZuser_idr[   lifetimer]   access_token_expires_inrequestZaccess_routeZ	client_ip)	r   rR   ZpayloadrS   _fieldsZpersonpatternZ	cmf_loginsessionr   r   r   get_sessionM   sJ      





zCmfAuthOpenIdPlugin.get_sessionc                 C   sH  dd l }z| jd|jj  | ddg | jr:t| jdkrV| j	
|j
j}n||jtj| jjjd| jjjd }t|j
jd| jjj| jjjd	}d
di}|j|d ||| jjjd}|  | }|r|j  |d |_|d |_
|d |_|  |W S W n2   | jd|jj  d|_|  Y d S X d S )Nr   u    Обновляем сессию disabledr(   r)   r,   r-   r[   )r[   r*   r/   r0   r1   r2   r3   r4   r\   r^   uA   Ошибка обновления сессии по токену T)r8   r   rE   re   r<   r9   rm   AssertionErrorr'   r:   r[   r=   r   r   r   r   r   r>   r?   r@   rA   rB   rC   rD   rd   rc   rf   rg   r"   	exceptionZexpired)r   rk   r8   rR   rF   rG   r6   rH   r   r   r   r[   u   sB    







z!CmfAuthOpenIdPlugin.refresh_tokenc                 C   sH   ddl m} | dg || jjj| jjj| jjj| jjj| jj	jdS )Nr   )KeycloakOpenIDr(   )Z
server_urlr/   Z
realm_nameZclient_secret_keyr.   )
r)   rp   r9   r   r   r<   rA   Zext_realm_namerB   r>   )r   rp   r   r   r   r:      s    
z#CmfAuthOpenIdPlugin.client_keycloakc                 C   s   ddl m} dd l}| dg ztdtji}| jdkrX| j	j
| jj| jj|d}n|jtj| jjjd| jjjd }t }| jjj|d	< | jj|d
< d|d< | jj|d< tdtji|d< ||}tj|d d| }| jd|  t|W S    | jd Y nX d S )Nr   )	urlencoder(   Znext_urlr)   )r+   r]   stater,   r-   r/   r+   r&   Zresponse_typer]   rr   Zauthorization_endpoint?u\   Редиректим пользователя на страницу авторизации: u#   Ошибка SSO редиректа)Zurllib.parserq   r8   r9   r?   dumpsrh   Zurlr'   r:   Zauth_urlr   r<   r]   r=   r   r   r   r   r   r>   r@   rA   r   rE   Zredirectro   )r   rq   r8   Zstate_paramsZ	login_urlrF   rG   Zqsr   r   r   login_redirect   s2    
 

z"CmfAuthOpenIdPlugin.login_redirect)__name__
__module____qualname__r   r   Zui_meta_skipr   propertyr   r   r   r"   strrI   staticmethodrQ   r@   rl   r[   r:   ru   __classcell__r   r   r   r   r      s   
	(!
	r   N)Zcmfr   Zcmf.includer   r   r   r   r   r   <module>   s   