Implement OAuth2 provider (#927)

- [x] Application management - [x] Link - [ ] Tests - [x] Authorize flow - [x] Tests - [x] Refresh token handling - [x] Tests - [x] Revocation endpoint - [x] Tests - [x] Mitigate: https://github.com/jazzband/django-oauth-toolkit/issues/585 - [x] API authenticator / permission driver - [x] Test - [x] Enforce organizer restriction - [x] Tests - [x] Enforce scope restriction - [x] Tests - [x] Show current applications to user - [x] Revoke - [x] Tests - [x] Log new authorizations - [x] notify user - [x] Ensure other grant types are not available - [x] Documentation - [x] check if revoking access toking, then refreshing gets rid of organizer constraint - [x] Show logentry foo
2018-06-05 12:58:04 +02:00
parent df031b2222
commit 69d10489b8
53 changed files with 1786 additions and 116 deletions
--- a/src/pretix/base/models/auth.py
+++ b/src/pretix/base/models/auth.py
@@ -25,13 +25,13 @@ class UserManager(BaseUserManager):
    model documentation to see what's so special about our user model.
    """

-    def create_user(self, email: str, password: str=None, **kwargs):
+    def create_user(self, email: str, password: str = None, **kwargs):
        user = self.model(email=email, **kwargs)
        user.set_password(password)
        user.save()
        return user

-    def create_superuser(self, email: str, password: str=None):  # NOQA
+    def create_superuser(self, email: str, password: str = None):  # NOQA
        # Not used in the software but required by Django
        if password is None:
            raise Exception("You must provide a password")
--- a/src/pretix/base/models/base.py
+++ b/src/pretix/base/models/base.py
@@ -36,7 +36,7 @@ def cached_file_delete(sender, instance, **kwargs):

 class LoggingMixin:

-    def log_action(self, action, data=None, user=None, api_token=None, save=True):
+    def log_action(self, action, data=None, user=None, api_token=None, auth=None, save=True):
        """
        Create a LogEntry object that is related to this object.
        See the LogEntry documentation for details.
@@ -47,6 +47,8 @@ class LoggingMixin:
        """
        from .log import LogEntry
        from .event import Event
+        from pretix.api.models import OAuthAccessToken, OAuthApplication
+        from .organizer import TeamAPIToken
        from ..notifications import get_all_notification_types
        from ..services.notifications import notify

@@ -57,7 +59,18 @@ class LoggingMixin:
            event = self.event
        if user and not user.is_authenticated:
            user = None
-        logentry = LogEntry(content_object=self, user=user, action_type=action, event=event, api_token=api_token)
+
+        kwargs = {}
+        if isinstance(auth, OAuthAccessToken):
+            kwargs['oauth_application'] = auth.application
+        elif isinstance(auth, OAuthApplication):
+            kwargs['oauth_application'] = auth
+        elif isinstance(auth, TeamAPIToken):
+            kwargs['api_token'] = auth
+        elif isinstance(api_token, TeamAPIToken):
+            kwargs['api_token'] = api_token
+
+        logentry = LogEntry(content_object=self, user=user, action_type=action, event=event, **kwargs)
        if data:
            logentry.data = json.dumps(data, cls=CustomJSONEncoder)
        if save:
@@ -83,4 +96,4 @@ class LoggedModel(models.Model, LoggingMixin):

        return LogEntry.objects.filter(
            content_type=ContentType.objects.get_for_model(type(self)), object_id=self.pk
-        ).select_related('user', 'event')
+        ).select_related('user', 'event', 'oauth_application', 'api_token')
--- a/src/pretix/base/models/log.py
+++ b/src/pretix/base/models/log.py
@@ -41,6 +41,7 @@ class LogEntry(models.Model):
    datetime = models.DateTimeField(auto_now_add=True, db_index=True)
    user = models.ForeignKey('User', null=True, blank=True, on_delete=models.PROTECT)
    api_token = models.ForeignKey('TeamAPIToken', null=True, blank=True, on_delete=models.PROTECT)
+    oauth_application = models.ForeignKey('pretixapi.OAuthApplication', null=True, blank=True, on_delete=models.PROTECT)
    event = models.ForeignKey('Event', null=True, blank=True, on_delete=models.SET_NULL)
    action_type = models.CharField(max_length=255)
    data = models.TextField(default='{}')
--- a/src/pretix/base/models/waitinglist.py
+++ b/src/pretix/base/models/waitinglist.py
@@ -77,7 +77,7 @@ class WaitingListEntry(LoggedModel):
        WaitingListEntry.clean_itemvar(self.event, self.item, self.variation)
        WaitingListEntry.clean_subevent(self.event, self.subevent)

-    def send_voucher(self, quota_cache=None, user=None, api_token=None):
+    def send_voucher(self, quota_cache=None, user=None, auth=None):
        availability = (
            self.variation.check_quotas(count_waitinglist=False, subevent=self.subevent, _cache=quota_cache)
            if self.variation
@@ -114,8 +114,8 @@ class WaitingListEntry(LoggedModel):
                'email': self.email,
                'waitinglistentry': self.pk,
                'subevent': self.subevent.pk if self.subevent else None,
-            }, user=user, api_token=api_token)
-            self.log_action('pretix.waitinglist.voucher', user=user, api_token=api_token)
+            }, user=user, auth=auth)
+            self.log_action('pretix.waitinglist.voucher', user=user, auth=auth)
            self.voucher = v
            self.save()