initial commit 2

5 files changed, 210 insertions, 0 deletions

diff --git a/addons/auth_oauth/models/__init__.py b/addons/auth_oauth/models/__init__.py
new file mode 100644
index 00000000..381d9c86
--- /dev/null
+++ b/addons/auth_oauth/models/__init__.py
@@ -0,0 +1,7 @@
+# -*- coding: utf-8 -*-
+# Part of Odoo. See LICENSE file for full copyright and licensing details.
+
+from . import auth_oauth
+from . import res_config_settings
+from . import ir_config_parameter
+from . import res_users
diff --git a/addons/auth_oauth/models/auth_oauth.py b/addons/auth_oauth/models/auth_oauth.py
new file mode 100644
index 00000000..bdecce9b
--- /dev/null
+++ b/addons/auth_oauth/models/auth_oauth.py
@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+# Part of Odoo. See LICENSE file for full copyright and licensing details.
+
+from odoo import fields, models
+
+
+class AuthOAuthProvider(models.Model):
+    """Class defining the configuration values of an OAuth2 provider"""
+
+    _name = 'auth.oauth.provider'
+    _description = 'OAuth2 provider'
+    _order = 'sequence, name'
+
+    name = fields.Char(string='Provider name', required=True)  # Name of the OAuth2 entity, Google, etc
+    client_id = fields.Char(string='Client ID')  # Our identifier
+    auth_endpoint = fields.Char(string='Authentication URL', required=True)  # OAuth provider URL to authenticate users
+    scope = fields.Char()  # OAUth user data desired to access
+    validation_endpoint = fields.Char(string='Validation URL', required=True)  # OAuth provider URL to validate tokens
+    data_endpoint = fields.Char(string='Data URL')
+    enabled = fields.Boolean(string='Allowed')
+    css_class = fields.Char(string='CSS class', default='fa fa-fw fa-sign-in text-primary')
+    body = fields.Char(required=True, help='Link text in Login Dialog', translate=True)
+    sequence = fields.Integer(default=10)
diff --git a/addons/auth_oauth/models/ir_config_parameter.py b/addons/auth_oauth/models/ir_config_parameter.py
new file mode 100644
index 00000000..6a302e2b
--- /dev/null
+++ b/addons/auth_oauth/models/ir_config_parameter.py
@@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+# Part of Odoo. See LICENSE file for full copyright and licensing details.
+
+from odoo import models
+
+
+class IrConfigParameter(models.Model):
+    _inherit = 'ir.config_parameter'
+
+    def init(self, force=False):
+        super(IrConfigParameter, self).init(force=force)
+        if force:
+            oauth_oe = self.env.ref('auth_oauth.provider_openerp')
+            if not oauth_oe:
+                return
+            dbuuid = self.sudo().get_param('database.uuid')
+            oauth_oe.write({'client_id': dbuuid})
diff --git a/addons/auth_oauth/models/res_config_settings.py b/addons/auth_oauth/models/res_config_settings.py
new file mode 100644
index 00000000..0c20ab66
--- /dev/null
+++ b/addons/auth_oauth/models/res_config_settings.py
@@ -0,0 +1,39 @@
+# -*- coding: utf-8 -*-
+# Part of Odoo. See LICENSE file for full copyright and licensing details.
+
+import logging
+
+from odoo import api, fields, models
+
+_logger = logging.getLogger(__name__)
+
+
+class ResConfigSettings(models.TransientModel):
+    _inherit = 'res.config.settings'
+
+    @api.model
+    def get_uri(self):
+        return "%s/auth_oauth/signin" % (self.env['ir.config_parameter'].get_param('web.base.url'))
+
+    auth_oauth_google_enabled = fields.Boolean(string='Allow users to sign in with Google')
+    auth_oauth_google_client_id = fields.Char(string='Client ID')
+    server_uri_google = fields.Char(string='Server uri')
+
+    @api.model
+    def get_values(self):
+        res = super(ResConfigSettings, self).get_values()
+        google_provider = self.env.ref('auth_oauth.provider_google', False)
+        google_provider and res.update(
+            auth_oauth_google_enabled=google_provider.enabled,
+            auth_oauth_google_client_id=google_provider.client_id,
+            server_uri_google=self.get_uri(),
+        )
+        return res
+
+    def set_values(self):
+        super(ResConfigSettings, self).set_values()
+        google_provider = self.env.ref('auth_oauth.provider_google', False)
+        google_provider and google_provider.write({
+            'enabled': self.auth_oauth_google_enabled,
+            'client_id': self.auth_oauth_google_client_id,
+        })
diff --git a/addons/auth_oauth/models/res_users.py b/addons/auth_oauth/models/res_users.py
new file mode 100644
index 00000000..02a2bd97
--- /dev/null
+++ b/addons/auth_oauth/models/res_users.py
@@ -0,0 +1,124 @@
+# -*- coding: utf-8 -*-
+# Part of Odoo. See LICENSE file for full copyright and licensing details.
+
+import json
+
+import requests
+
+from odoo import api, fields, models
+from odoo.exceptions import AccessDenied, UserError
+from odoo.addons.auth_signup.models.res_users import SignupError
+
+from odoo.addons import base
+base.models.res_users.USER_PRIVATE_FIELDS.append('oauth_access_token')
+
+class ResUsers(models.Model):
+    _inherit = 'res.users'
+
+    oauth_provider_id = fields.Many2one('auth.oauth.provider', string='OAuth Provider')
+    oauth_uid = fields.Char(string='OAuth User ID', help="Oauth Provider user_id", copy=False)
+    oauth_access_token = fields.Char(string='OAuth Access Token', readonly=True, copy=False)
+
+    _sql_constraints = [
+        ('uniq_users_oauth_provider_oauth_uid', 'unique(oauth_provider_id, oauth_uid)', 'OAuth UID must be unique per provider'),
+    ]
+
+    @api.model
+    def _auth_oauth_rpc(self, endpoint, access_token):
+        return requests.get(endpoint, params={'access_token': access_token}).json()
+
+    @api.model
+    def _auth_oauth_validate(self, provider, access_token):
+        """ return the validation data corresponding to the access token """
+        oauth_provider = self.env['auth.oauth.provider'].browse(provider)
+        validation = self._auth_oauth_rpc(oauth_provider.validation_endpoint, access_token)
+        if validation.get("error"):
+            raise Exception(validation['error'])
+        if oauth_provider.data_endpoint:
+            data = self._auth_oauth_rpc(oauth_provider.data_endpoint, access_token)
+            validation.update(data)
+        return validation
+
+    @api.model
+    def _generate_signup_values(self, provider, validation, params):
+        oauth_uid = validation['user_id']
+        email = validation.get('email', 'provider_%s_user_%s' % (provider, oauth_uid))
+        name = validation.get('name', email)
+        return {
+            'name': name,
+            'login': email,
+            'email': email,
+            'oauth_provider_id': provider,
+            'oauth_uid': oauth_uid,
+            'oauth_access_token': params['access_token'],
+            'active': True,
+        }
+
+    @api.model
+    def _auth_oauth_signin(self, provider, validation, params):
+        """ retrieve and sign in the user corresponding to provider and validated access token
+            :param provider: oauth provider id (int)
+            :param validation: result of validation of access token (dict)
+            :param params: oauth parameters (dict)
+            :return: user login (str)
+            :raise: AccessDenied if signin failed
+
+            This method can be overridden to add alternative signin methods.
+        """
+        oauth_uid = validation['user_id']
+        try:
+            oauth_user = self.search([("oauth_uid", "=", oauth_uid), ('oauth_provider_id', '=', provider)])
+            if not oauth_user:
+                raise AccessDenied()
+            assert len(oauth_user) == 1
+            oauth_user.write({'oauth_access_token': params['access_token']})
+            return oauth_user.login
+        except AccessDenied as access_denied_exception:
+            if self.env.context.get('no_user_creation'):
+                return None
+            state = json.loads(params['state'])
+            token = state.get('t')
+            values = self._generate_signup_values(provider, validation, params)
+            try:
+                _, login, _ = self.signup(values, token)
+                return login
+            except (SignupError, UserError):
+                raise access_denied_exception
+
+    @api.model
+    def auth_oauth(self, provider, params):
+        # Advice by Google (to avoid Confused Deputy Problem)
+        # if validation.audience != OUR_CLIENT_ID:
+        #   abort()
+        # else:
+        #   continue with the process
+        access_token = params.get('access_token')
+        validation = self._auth_oauth_validate(provider, access_token)
+        # required check
+        if not validation.get('user_id'):
+            # Workaround: facebook does not send 'user_id' in Open Graph Api
+            if validation.get('id'):
+                validation['user_id'] = validation['id']
+            else:
+                raise AccessDenied()
+
+        # retrieve and sign in user
+        login = self._auth_oauth_signin(provider, validation, params)
+        if not login:
+            raise AccessDenied()
+        # return user credentials
+        return (self.env.cr.dbname, login, access_token)
+
+    def _check_credentials(self, password, env):
+        try:
+            return super(ResUsers, self)._check_credentials(password, env)
+        except AccessDenied:
+            passwd_allowed = env['interactive'] or not self.env.user._rpc_api_keys_only()
+            if passwd_allowed and self.env.user.active:
+                res = self.sudo().search([('id', '=', self.env.uid), ('oauth_access_token', '=', password)])
+                if res:
+                    return
+            raise
+
+    def _get_session_token_fields(self):
+        return super(ResUsers, self)._get_session_token_fields() | {'oauth_access_token'}