2018-07-13 09:43:08 +00:00
|
|
|
"""Provide an authentication layer for Home Assistant."""
|
|
|
|
|
import asyncio
|
|
|
|
|
import logging
|
|
|
|
|
from collections import OrderedDict
|
2018-09-11 10:05:15 +00:00
|
|
|
from datetime import timedelta
|
2018-08-21 17:48:24 +00:00
|
|
|
from typing import Any, Dict, List, Optional, Tuple, cast
|
2018-07-13 09:43:08 +00:00
|
|
|
|
2018-08-14 19:14:12 +00:00
|
|
|
import jwt
|
|
|
|
|
|
2018-07-13 09:43:08 +00:00
|
|
|
from homeassistant import data_entry_flow
|
2018-09-11 10:05:15 +00:00
|
|
|
from homeassistant.auth.const import ACCESS_TOKEN_EXPIRATION
|
2018-07-31 14:00:17 +00:00
|
|
|
from homeassistant.core import callback, HomeAssistant
|
2018-08-14 19:14:12 +00:00
|
|
|
from homeassistant.util import dt as dt_util
|
2018-07-13 09:43:08 +00:00
|
|
|
|
2018-08-16 20:25:41 +00:00
|
|
|
from . import auth_store, models
|
2018-11-08 11:57:00 +00:00
|
|
|
from .const import GROUP_ID_ADMIN
|
2018-08-22 07:52:34 +00:00
|
|
|
from .mfa_modules import auth_mfa_module_from_config, MultiFactorAuthModule
|
|
|
|
|
from .providers import auth_provider_from_config, AuthProvider, LoginFlow
|
2018-07-13 09:43:08 +00:00
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
EVENT_USER_ADDED = "user_added"
|
|
|
|
|
EVENT_USER_REMOVED = "user_removed"
|
2018-10-11 15:06:51 +00:00
|
|
|
|
2018-07-13 09:43:08 +00:00
|
|
|
_LOGGER = logging.getLogger(__name__)
|
2018-08-22 07:52:34 +00:00
|
|
|
_MfaModuleDict = Dict[str, MultiFactorAuthModule]
|
2018-08-16 20:25:41 +00:00
|
|
|
_ProviderKey = Tuple[str, Optional[str]]
|
|
|
|
|
_ProviderDict = Dict[_ProviderKey, AuthProvider]
|
2018-07-13 09:43:08 +00:00
|
|
|
|
|
|
|
|
|
2018-07-31 14:00:17 +00:00
|
|
|
async def auth_manager_from_config(
|
2019-07-31 19:25:30 +00:00
|
|
|
hass: HomeAssistant,
|
|
|
|
|
provider_configs: List[Dict[str, Any]],
|
|
|
|
|
module_configs: List[Dict[str, Any]],
|
|
|
|
|
) -> "AuthManager":
|
2018-08-28 18:54:01 +00:00
|
|
|
"""Initialize an auth manager from config.
|
|
|
|
|
|
|
|
|
|
CORE_CONFIG_SCHEMA will make sure do duplicated auth providers or
|
|
|
|
|
mfa modules exist in configs.
|
|
|
|
|
"""
|
2018-07-13 09:43:08 +00:00
|
|
|
store = auth_store.AuthStore(hass)
|
|
|
|
|
if provider_configs:
|
|
|
|
|
providers = await asyncio.gather(
|
2019-07-31 19:25:30 +00:00
|
|
|
*(
|
|
|
|
|
auth_provider_from_config(hass, store, config)
|
|
|
|
|
for config in provider_configs
|
|
|
|
|
)
|
|
|
|
|
)
|
2018-07-13 09:43:08 +00:00
|
|
|
else:
|
2018-08-16 20:25:41 +00:00
|
|
|
providers = ()
|
2018-07-13 09:43:08 +00:00
|
|
|
# So returned auth providers are in same order as config
|
2019-09-04 03:36:04 +00:00
|
|
|
provider_hash: _ProviderDict = OrderedDict()
|
2018-07-13 09:43:08 +00:00
|
|
|
for provider in providers:
|
|
|
|
|
key = (provider.type, provider.id)
|
|
|
|
|
provider_hash[key] = provider
|
2018-08-22 07:52:34 +00:00
|
|
|
|
|
|
|
|
if module_configs:
|
|
|
|
|
modules = await asyncio.gather(
|
2019-07-31 19:25:30 +00:00
|
|
|
*(auth_mfa_module_from_config(hass, config) for config in module_configs)
|
|
|
|
|
)
|
2018-08-22 07:52:34 +00:00
|
|
|
else:
|
|
|
|
|
modules = ()
|
|
|
|
|
# So returned auth modules are in same order as config
|
2019-09-04 03:36:04 +00:00
|
|
|
module_hash: _MfaModuleDict = OrderedDict()
|
2018-08-22 07:52:34 +00:00
|
|
|
for module in modules:
|
|
|
|
|
module_hash[module.id] = module
|
|
|
|
|
|
|
|
|
|
manager = AuthManager(hass, store, provider_hash, module_hash)
|
2018-07-13 09:43:08 +00:00
|
|
|
return manager
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class AuthManager:
|
|
|
|
|
"""Manage the authentication for Home Assistant."""
|
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
def __init__(
|
|
|
|
|
self,
|
|
|
|
|
hass: HomeAssistant,
|
|
|
|
|
store: auth_store.AuthStore,
|
|
|
|
|
providers: _ProviderDict,
|
|
|
|
|
mfa_modules: _MfaModuleDict,
|
|
|
|
|
) -> None:
|
2018-07-13 09:43:08 +00:00
|
|
|
"""Initialize the auth manager."""
|
2018-08-22 07:52:34 +00:00
|
|
|
self.hass = hass
|
2018-07-13 09:43:08 +00:00
|
|
|
self._store = store
|
|
|
|
|
self._providers = providers
|
2018-08-22 07:52:34 +00:00
|
|
|
self._mfa_modules = mfa_modules
|
2018-07-13 09:43:08 +00:00
|
|
|
self.login_flow = data_entry_flow.FlowManager(
|
2019-07-31 19:25:30 +00:00
|
|
|
hass, self._async_create_login_flow, self._async_finish_login_flow
|
|
|
|
|
)
|
2018-07-13 09:43:08 +00:00
|
|
|
|
|
|
|
|
@property
|
2018-08-16 20:25:41 +00:00
|
|
|
def auth_providers(self) -> List[AuthProvider]:
|
2018-07-13 09:43:08 +00:00
|
|
|
"""Return a list of available auth providers."""
|
2018-07-13 13:31:20 +00:00
|
|
|
return list(self._providers.values())
|
|
|
|
|
|
2018-08-22 07:52:34 +00:00
|
|
|
@property
|
|
|
|
|
def auth_mfa_modules(self) -> List[MultiFactorAuthModule]:
|
|
|
|
|
"""Return a list of available auth modules."""
|
|
|
|
|
return list(self._mfa_modules.values())
|
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
def get_auth_provider(
|
|
|
|
|
self, provider_type: str, provider_id: str
|
|
|
|
|
) -> Optional[AuthProvider]:
|
2019-03-11 02:55:36 +00:00
|
|
|
"""Return an auth provider, None if not found."""
|
|
|
|
|
return self._providers.get((provider_type, provider_id))
|
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
def get_auth_providers(self, provider_type: str) -> List[AuthProvider]:
|
2019-03-11 02:55:36 +00:00
|
|
|
"""Return a List of auth provider of one type, Empty if not found."""
|
2019-07-31 19:25:30 +00:00
|
|
|
return [
|
|
|
|
|
provider
|
|
|
|
|
for (p_type, _), provider in self._providers.items()
|
|
|
|
|
if p_type == provider_type
|
|
|
|
|
]
|
2019-03-11 02:55:36 +00:00
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
def get_auth_mfa_module(self, module_id: str) -> Optional[MultiFactorAuthModule]:
|
2019-03-11 02:55:36 +00:00
|
|
|
"""Return a multi-factor auth module, None if not found."""
|
2018-08-22 07:52:34 +00:00
|
|
|
return self._mfa_modules.get(module_id)
|
|
|
|
|
|
2018-08-16 20:25:41 +00:00
|
|
|
async def async_get_users(self) -> List[models.User]:
|
2018-07-13 13:31:20 +00:00
|
|
|
"""Retrieve all users."""
|
|
|
|
|
return await self._store.async_get_users()
|
2018-07-13 09:43:08 +00:00
|
|
|
|
2018-08-16 20:25:41 +00:00
|
|
|
async def async_get_user(self, user_id: str) -> Optional[models.User]:
|
2018-07-13 09:43:08 +00:00
|
|
|
"""Retrieve a user."""
|
|
|
|
|
return await self._store.async_get_user(user_id)
|
|
|
|
|
|
2019-03-11 02:55:36 +00:00
|
|
|
async def async_get_owner(self) -> Optional[models.User]:
|
|
|
|
|
"""Retrieve the owner."""
|
|
|
|
|
users = await self.async_get_users()
|
|
|
|
|
return next((user for user in users if user.is_owner), None)
|
|
|
|
|
|
2018-11-21 11:26:08 +00:00
|
|
|
async def async_get_group(self, group_id: str) -> Optional[models.Group]:
|
|
|
|
|
"""Retrieve all groups."""
|
|
|
|
|
return await self._store.async_get_group(group_id)
|
|
|
|
|
|
2018-08-22 07:52:34 +00:00
|
|
|
async def async_get_user_by_credentials(
|
2019-07-31 19:25:30 +00:00
|
|
|
self, credentials: models.Credentials
|
|
|
|
|
) -> Optional[models.User]:
|
2018-08-22 07:52:34 +00:00
|
|
|
"""Get a user by credential, return None if not found."""
|
|
|
|
|
for user in await self.async_get_users():
|
|
|
|
|
for creds in user.credentials:
|
|
|
|
|
if creds.id == credentials.id:
|
|
|
|
|
return user
|
|
|
|
|
|
|
|
|
|
return None
|
|
|
|
|
|
2018-11-25 17:04:48 +00:00
|
|
|
async def async_create_system_user(
|
2019-07-31 19:25:30 +00:00
|
|
|
self, name: str, group_ids: Optional[List[str]] = None
|
|
|
|
|
) -> models.User:
|
2018-07-13 09:43:08 +00:00
|
|
|
"""Create a system user."""
|
2018-10-11 15:06:51 +00:00
|
|
|
user = await self._store.async_create_user(
|
2019-07-31 19:25:30 +00:00
|
|
|
name=name, system_generated=True, is_active=True, group_ids=group_ids or []
|
2018-07-13 09:43:08 +00:00
|
|
|
)
|
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
self.hass.bus.async_fire(EVENT_USER_ADDED, {"user_id": user.id})
|
2018-10-11 15:06:51 +00:00
|
|
|
|
|
|
|
|
return user
|
|
|
|
|
|
2018-08-16 20:25:41 +00:00
|
|
|
async def async_create_user(self, name: str) -> models.User:
|
2018-07-13 13:31:20 +00:00
|
|
|
"""Create a user."""
|
2019-09-04 03:36:04 +00:00
|
|
|
kwargs: Dict[str, Any] = {
|
2019-07-31 19:25:30 +00:00
|
|
|
"name": name,
|
|
|
|
|
"is_active": True,
|
|
|
|
|
"group_ids": [GROUP_ID_ADMIN],
|
2019-09-04 03:36:04 +00:00
|
|
|
}
|
2018-07-15 18:46:15 +00:00
|
|
|
|
|
|
|
|
if await self._user_should_be_owner():
|
2019-07-31 19:25:30 +00:00
|
|
|
kwargs["is_owner"] = True
|
2018-07-15 18:46:15 +00:00
|
|
|
|
2018-10-11 15:06:51 +00:00
|
|
|
user = await self._store.async_create_user(**kwargs)
|
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
self.hass.bus.async_fire(EVENT_USER_ADDED, {"user_id": user.id})
|
2018-10-11 15:06:51 +00:00
|
|
|
|
|
|
|
|
return user
|
2018-07-13 13:31:20 +00:00
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
async def async_get_or_create_user(
|
|
|
|
|
self, credentials: models.Credentials
|
|
|
|
|
) -> models.User:
|
2018-07-13 09:43:08 +00:00
|
|
|
"""Get or create a user."""
|
|
|
|
|
if not credentials.is_new:
|
2018-08-22 07:52:34 +00:00
|
|
|
user = await self.async_get_user_by_credentials(credentials)
|
|
|
|
|
if user is None:
|
2019-07-31 19:25:30 +00:00
|
|
|
raise ValueError("Unable to find the user.")
|
2019-02-27 21:10:40 +00:00
|
|
|
return user
|
2018-07-13 09:43:08 +00:00
|
|
|
|
|
|
|
|
auth_provider = self._async_get_auth_provider(credentials)
|
2018-07-13 13:31:20 +00:00
|
|
|
|
|
|
|
|
if auth_provider is None:
|
2019-07-31 19:25:30 +00:00
|
|
|
raise RuntimeError("Credential with unknown provider encountered")
|
2018-07-13 13:31:20 +00:00
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
info = await auth_provider.async_user_meta_for_credentials(credentials)
|
2018-07-13 09:43:08 +00:00
|
|
|
|
2018-10-11 15:06:51 +00:00
|
|
|
user = await self._store.async_create_user(
|
2018-07-15 18:46:15 +00:00
|
|
|
credentials=credentials,
|
2018-08-16 20:25:41 +00:00
|
|
|
name=info.name,
|
|
|
|
|
is_active=info.is_active,
|
2018-12-03 10:34:01 +00:00
|
|
|
group_ids=[GROUP_ID_ADMIN],
|
2018-07-15 18:46:15 +00:00
|
|
|
)
|
2018-07-13 09:43:08 +00:00
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
self.hass.bus.async_fire(EVENT_USER_ADDED, {"user_id": user.id})
|
2018-10-11 15:06:51 +00:00
|
|
|
|
|
|
|
|
return user
|
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
async def async_link_user(
|
|
|
|
|
self, user: models.User, credentials: models.Credentials
|
|
|
|
|
) -> None:
|
2018-07-13 09:43:08 +00:00
|
|
|
"""Link credentials to an existing user."""
|
|
|
|
|
await self._store.async_link_user(user, credentials)
|
|
|
|
|
|
2018-08-16 20:25:41 +00:00
|
|
|
async def async_remove_user(self, user: models.User) -> None:
|
2018-07-13 09:43:08 +00:00
|
|
|
"""Remove a user."""
|
2018-07-13 13:31:20 +00:00
|
|
|
tasks = [
|
|
|
|
|
self.async_remove_credentials(credentials)
|
|
|
|
|
for credentials in user.credentials
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
if tasks:
|
|
|
|
|
await asyncio.wait(tasks)
|
|
|
|
|
|
2018-07-13 09:43:08 +00:00
|
|
|
await self._store.async_remove_user(user)
|
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
self.hass.bus.async_fire(EVENT_USER_REMOVED, {"user_id": user.id})
|
2018-10-11 15:06:51 +00:00
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
async def async_update_user(
|
|
|
|
|
self,
|
|
|
|
|
user: models.User,
|
|
|
|
|
name: Optional[str] = None,
|
|
|
|
|
group_ids: Optional[List[str]] = None,
|
|
|
|
|
) -> None:
|
2018-11-25 17:04:48 +00:00
|
|
|
"""Update a user."""
|
2019-09-04 03:36:04 +00:00
|
|
|
kwargs: Dict[str, Any] = {}
|
2018-11-25 17:04:48 +00:00
|
|
|
if name is not None:
|
2019-07-31 19:25:30 +00:00
|
|
|
kwargs["name"] = name
|
2018-11-25 17:04:48 +00:00
|
|
|
if group_ids is not None:
|
2019-07-31 19:25:30 +00:00
|
|
|
kwargs["group_ids"] = group_ids
|
2018-11-25 17:04:48 +00:00
|
|
|
await self._store.async_update_user(user, **kwargs)
|
|
|
|
|
|
2018-08-16 20:25:41 +00:00
|
|
|
async def async_activate_user(self, user: models.User) -> None:
|
2018-07-15 18:46:15 +00:00
|
|
|
"""Activate a user."""
|
|
|
|
|
await self._store.async_activate_user(user)
|
|
|
|
|
|
2018-08-16 20:25:41 +00:00
|
|
|
async def async_deactivate_user(self, user: models.User) -> None:
|
2018-07-15 18:46:15 +00:00
|
|
|
"""Deactivate a user."""
|
2018-07-15 21:09:05 +00:00
|
|
|
if user.is_owner:
|
2019-07-31 19:25:30 +00:00
|
|
|
raise ValueError("Unable to deactive the owner")
|
2018-07-15 18:46:15 +00:00
|
|
|
await self._store.async_deactivate_user(user)
|
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
async def async_remove_credentials(self, credentials: models.Credentials) -> None:
|
2018-07-13 13:31:20 +00:00
|
|
|
"""Remove credentials."""
|
|
|
|
|
provider = self._async_get_auth_provider(credentials)
|
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
if provider is not None and hasattr(provider, "async_will_remove_credentials"):
|
2018-08-16 20:25:41 +00:00
|
|
|
# https://github.com/python/mypy/issues/1424
|
|
|
|
|
await provider.async_will_remove_credentials( # type: ignore
|
2019-07-31 19:25:30 +00:00
|
|
|
credentials
|
|
|
|
|
)
|
2018-07-13 13:31:20 +00:00
|
|
|
|
|
|
|
|
await self._store.async_remove_credentials(credentials)
|
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
async def async_enable_user_mfa(
|
|
|
|
|
self, user: models.User, mfa_module_id: str, data: Any
|
|
|
|
|
) -> None:
|
2018-08-22 07:52:34 +00:00
|
|
|
"""Enable a multi-factor auth module for user."""
|
|
|
|
|
if user.system_generated:
|
2019-07-31 19:25:30 +00:00
|
|
|
raise ValueError(
|
|
|
|
|
"System generated users cannot enable " "multi-factor auth module."
|
|
|
|
|
)
|
2018-08-22 07:52:34 +00:00
|
|
|
|
|
|
|
|
module = self.get_auth_mfa_module(mfa_module_id)
|
|
|
|
|
if module is None:
|
2019-08-23 16:53:33 +00:00
|
|
|
raise ValueError(f"Unable find multi-factor auth module: {mfa_module_id}")
|
2018-08-22 07:52:34 +00:00
|
|
|
|
|
|
|
|
await module.async_setup_user(user.id, data)
|
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
async def async_disable_user_mfa(
|
|
|
|
|
self, user: models.User, mfa_module_id: str
|
|
|
|
|
) -> None:
|
2018-08-22 07:52:34 +00:00
|
|
|
"""Disable a multi-factor auth module for user."""
|
|
|
|
|
if user.system_generated:
|
2019-07-31 19:25:30 +00:00
|
|
|
raise ValueError(
|
|
|
|
|
"System generated users cannot disable " "multi-factor auth module."
|
|
|
|
|
)
|
2018-08-22 07:52:34 +00:00
|
|
|
|
|
|
|
|
module = self.get_auth_mfa_module(mfa_module_id)
|
|
|
|
|
if module is None:
|
2019-08-23 16:53:33 +00:00
|
|
|
raise ValueError(f"Unable find multi-factor auth module: {mfa_module_id}")
|
2018-08-22 07:52:34 +00:00
|
|
|
|
|
|
|
|
await module.async_depose_user(user.id)
|
|
|
|
|
|
2018-08-26 20:38:52 +00:00
|
|
|
async def async_get_enabled_mfa(self, user: models.User) -> Dict[str, str]:
|
2018-08-22 07:52:34 +00:00
|
|
|
"""List enabled mfa modules for user."""
|
2019-09-04 03:36:04 +00:00
|
|
|
modules: Dict[str, str] = OrderedDict()
|
2018-08-22 07:52:34 +00:00
|
|
|
for module_id, module in self._mfa_modules.items():
|
|
|
|
|
if await module.async_is_user_setup(user.id):
|
2018-08-26 20:38:52 +00:00
|
|
|
modules[module_id] = module.name
|
|
|
|
|
return modules
|
2018-08-22 07:52:34 +00:00
|
|
|
|
2018-09-11 10:05:15 +00:00
|
|
|
async def async_create_refresh_token(
|
2019-07-31 19:25:30 +00:00
|
|
|
self,
|
|
|
|
|
user: models.User,
|
|
|
|
|
client_id: Optional[str] = None,
|
|
|
|
|
client_name: Optional[str] = None,
|
|
|
|
|
client_icon: Optional[str] = None,
|
|
|
|
|
token_type: Optional[str] = None,
|
|
|
|
|
access_token_expiration: timedelta = ACCESS_TOKEN_EXPIRATION,
|
|
|
|
|
) -> models.RefreshToken:
|
2018-07-13 09:43:08 +00:00
|
|
|
"""Create a new refresh token for a user."""
|
|
|
|
|
if not user.is_active:
|
2019-07-31 19:25:30 +00:00
|
|
|
raise ValueError("User is not active")
|
2018-07-13 09:43:08 +00:00
|
|
|
|
|
|
|
|
if user.system_generated and client_id is not None:
|
|
|
|
|
raise ValueError(
|
2019-07-31 19:25:30 +00:00
|
|
|
"System generated users cannot have refresh tokens connected "
|
|
|
|
|
"to a client."
|
|
|
|
|
)
|
2018-07-13 09:43:08 +00:00
|
|
|
|
2018-09-11 10:05:15 +00:00
|
|
|
if token_type is None:
|
|
|
|
|
if user.system_generated:
|
|
|
|
|
token_type = models.TOKEN_TYPE_SYSTEM
|
|
|
|
|
else:
|
|
|
|
|
token_type = models.TOKEN_TYPE_NORMAL
|
|
|
|
|
|
|
|
|
|
if user.system_generated != (token_type == models.TOKEN_TYPE_SYSTEM):
|
|
|
|
|
raise ValueError(
|
2019-07-31 19:25:30 +00:00
|
|
|
"System generated users can only have system type " "refresh tokens"
|
|
|
|
|
)
|
2018-09-11 10:05:15 +00:00
|
|
|
|
|
|
|
|
if token_type == models.TOKEN_TYPE_NORMAL and client_id is None:
|
2019-07-31 19:25:30 +00:00
|
|
|
raise ValueError("Client is required to generate a refresh token.")
|
2018-07-13 09:43:08 +00:00
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
if (
|
|
|
|
|
token_type == models.TOKEN_TYPE_LONG_LIVED_ACCESS_TOKEN
|
|
|
|
|
and client_name is None
|
|
|
|
|
):
|
|
|
|
|
raise ValueError("Client_name is required for long-lived access " "token")
|
2018-09-11 10:05:15 +00:00
|
|
|
|
|
|
|
|
if token_type == models.TOKEN_TYPE_LONG_LIVED_ACCESS_TOKEN:
|
|
|
|
|
for token in user.refresh_tokens.values():
|
2019-07-31 19:25:30 +00:00
|
|
|
if (
|
|
|
|
|
token.client_name == client_name
|
|
|
|
|
and token.token_type == models.TOKEN_TYPE_LONG_LIVED_ACCESS_TOKEN
|
|
|
|
|
):
|
2018-09-11 10:05:15 +00:00
|
|
|
# Each client_name can only have one
|
|
|
|
|
# long_lived_access_token type of refresh token
|
2019-08-23 16:53:33 +00:00
|
|
|
raise ValueError(f"{client_name} already exists")
|
2018-09-11 10:05:15 +00:00
|
|
|
|
|
|
|
|
return await self._store.async_create_refresh_token(
|
2019-07-31 19:25:30 +00:00
|
|
|
user,
|
|
|
|
|
client_id,
|
|
|
|
|
client_name,
|
|
|
|
|
client_icon,
|
|
|
|
|
token_type,
|
|
|
|
|
access_token_expiration,
|
|
|
|
|
)
|
2018-07-13 09:43:08 +00:00
|
|
|
|
2018-08-16 20:25:41 +00:00
|
|
|
async def async_get_refresh_token(
|
2019-07-31 19:25:30 +00:00
|
|
|
self, token_id: str
|
|
|
|
|
) -> Optional[models.RefreshToken]:
|
2018-08-14 19:14:12 +00:00
|
|
|
"""Get refresh token by id."""
|
|
|
|
|
return await self._store.async_get_refresh_token(token_id)
|
|
|
|
|
|
2018-08-16 20:25:41 +00:00
|
|
|
async def async_get_refresh_token_by_token(
|
2019-07-31 19:25:30 +00:00
|
|
|
self, token: str
|
|
|
|
|
) -> Optional[models.RefreshToken]:
|
2018-07-13 09:43:08 +00:00
|
|
|
"""Get refresh token by token."""
|
2018-08-14 19:14:12 +00:00
|
|
|
return await self._store.async_get_refresh_token_by_token(token)
|
2018-07-13 09:43:08 +00:00
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
async def async_remove_refresh_token(
|
|
|
|
|
self, refresh_token: models.RefreshToken
|
|
|
|
|
) -> None:
|
2018-08-21 18:02:55 +00:00
|
|
|
"""Delete a refresh token."""
|
|
|
|
|
await self._store.async_remove_refresh_token(refresh_token)
|
|
|
|
|
|
2018-07-13 09:43:08 +00:00
|
|
|
@callback
|
2019-07-31 19:25:30 +00:00
|
|
|
def async_create_access_token(
|
|
|
|
|
self, refresh_token: models.RefreshToken, remote_ip: Optional[str] = None
|
|
|
|
|
) -> str:
|
2018-07-13 09:43:08 +00:00
|
|
|
"""Create a new access token."""
|
2018-09-12 11:24:16 +00:00
|
|
|
self._store.async_log_refresh_token_usage(refresh_token, remote_ip)
|
|
|
|
|
|
2018-09-11 10:05:15 +00:00
|
|
|
now = dt_util.utcnow()
|
2019-07-31 19:25:30 +00:00
|
|
|
return jwt.encode(
|
|
|
|
|
{
|
|
|
|
|
"iss": refresh_token.id,
|
|
|
|
|
"iat": now,
|
|
|
|
|
"exp": now + refresh_token.access_token_expiration,
|
|
|
|
|
},
|
|
|
|
|
refresh_token.jwt_key,
|
|
|
|
|
algorithm="HS256",
|
|
|
|
|
).decode()
|
2018-08-14 19:14:12 +00:00
|
|
|
|
2018-08-16 20:25:41 +00:00
|
|
|
async def async_validate_access_token(
|
2019-07-31 19:25:30 +00:00
|
|
|
self, token: str
|
|
|
|
|
) -> Optional[models.RefreshToken]:
|
2018-08-21 18:02:55 +00:00
|
|
|
"""Return refresh token if an access token is valid."""
|
2018-08-14 19:14:12 +00:00
|
|
|
try:
|
|
|
|
|
unverif_claims = jwt.decode(token, verify=False)
|
|
|
|
|
except jwt.InvalidTokenError:
|
|
|
|
|
return None
|
2018-07-13 09:43:08 +00:00
|
|
|
|
2018-08-14 19:14:12 +00:00
|
|
|
refresh_token = await self.async_get_refresh_token(
|
2019-07-31 19:25:30 +00:00
|
|
|
cast(str, unverif_claims.get("iss"))
|
|
|
|
|
)
|
2018-08-14 19:14:12 +00:00
|
|
|
|
|
|
|
|
if refresh_token is None:
|
2019-07-31 19:25:30 +00:00
|
|
|
jwt_key = ""
|
|
|
|
|
issuer = ""
|
2018-08-14 19:14:12 +00:00
|
|
|
else:
|
|
|
|
|
jwt_key = refresh_token.jwt_key
|
|
|
|
|
issuer = refresh_token.id
|
|
|
|
|
|
|
|
|
|
try:
|
2019-07-31 19:25:30 +00:00
|
|
|
jwt.decode(token, jwt_key, leeway=10, issuer=issuer, algorithms=["HS256"])
|
2018-08-14 19:14:12 +00:00
|
|
|
except jwt.InvalidTokenError:
|
2018-07-13 09:43:08 +00:00
|
|
|
return None
|
|
|
|
|
|
2018-08-16 20:25:41 +00:00
|
|
|
if refresh_token is None or not refresh_token.user.is_active:
|
2018-07-13 09:43:08 +00:00
|
|
|
return None
|
|
|
|
|
|
2018-08-14 19:14:12 +00:00
|
|
|
return refresh_token
|
2018-07-13 09:43:08 +00:00
|
|
|
|
2018-08-16 20:25:41 +00:00
|
|
|
async def _async_create_login_flow(
|
2019-07-31 19:25:30 +00:00
|
|
|
self, handler: _ProviderKey, *, context: Optional[Dict], data: Optional[Any]
|
|
|
|
|
) -> data_entry_flow.FlowHandler:
|
2018-07-13 09:43:08 +00:00
|
|
|
"""Create a login flow."""
|
|
|
|
|
auth_provider = self._providers[handler]
|
|
|
|
|
|
2018-08-21 18:03:38 +00:00
|
|
|
return await auth_provider.async_login_flow(context)
|
2018-07-13 09:43:08 +00:00
|
|
|
|
2018-08-16 20:25:41 +00:00
|
|
|
async def _async_finish_login_flow(
|
2019-07-31 19:25:30 +00:00
|
|
|
self, flow: LoginFlow, result: Dict[str, Any]
|
|
|
|
|
) -> Dict[str, Any]:
|
2018-08-21 08:18:04 +00:00
|
|
|
"""Return a user as result of login flow."""
|
2019-07-31 19:25:30 +00:00
|
|
|
if result["type"] != data_entry_flow.RESULT_TYPE_CREATE_ENTRY:
|
2018-08-21 17:48:24 +00:00
|
|
|
return result
|
2018-07-13 09:43:08 +00:00
|
|
|
|
2018-08-22 07:52:34 +00:00
|
|
|
# we got final result
|
2019-07-31 19:25:30 +00:00
|
|
|
if isinstance(result["data"], models.User):
|
|
|
|
|
result["result"] = result["data"]
|
2018-08-22 07:52:34 +00:00
|
|
|
return result
|
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
auth_provider = self._providers[result["handler"]]
|
2018-08-21 17:48:24 +00:00
|
|
|
credentials = await auth_provider.async_get_or_create_credentials(
|
2019-07-31 19:25:30 +00:00
|
|
|
result["data"]
|
|
|
|
|
)
|
2018-07-13 09:43:08 +00:00
|
|
|
|
2019-08-16 23:19:00 +00:00
|
|
|
if flow.context.get("credential_only"):
|
2019-07-31 19:25:30 +00:00
|
|
|
result["result"] = credentials
|
2018-08-21 17:48:24 +00:00
|
|
|
return result
|
2018-08-21 08:18:04 +00:00
|
|
|
|
2018-08-22 07:52:34 +00:00
|
|
|
# multi-factor module cannot enabled for new credential
|
|
|
|
|
# which has not linked to a user yet
|
|
|
|
|
if auth_provider.support_mfa and not credentials.is_new:
|
|
|
|
|
user = await self.async_get_user_by_credentials(credentials)
|
|
|
|
|
if user is not None:
|
|
|
|
|
modules = await self.async_get_enabled_mfa(user)
|
|
|
|
|
|
|
|
|
|
if modules:
|
|
|
|
|
flow.user = user
|
|
|
|
|
flow.available_mfa_modules = modules
|
|
|
|
|
return await flow.async_step_select_mfa_module()
|
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
result["result"] = await self.async_get_or_create_user(credentials)
|
2018-08-21 17:48:24 +00:00
|
|
|
return result
|
2018-08-21 08:18:04 +00:00
|
|
|
|
2018-07-13 09:43:08 +00:00
|
|
|
@callback
|
2018-08-16 20:25:41 +00:00
|
|
|
def _async_get_auth_provider(
|
2019-07-31 19:25:30 +00:00
|
|
|
self, credentials: models.Credentials
|
|
|
|
|
) -> Optional[AuthProvider]:
|
2018-08-24 08:28:43 +00:00
|
|
|
"""Get auth provider from a set of credentials."""
|
2019-07-31 19:25:30 +00:00
|
|
|
auth_provider_key = (
|
|
|
|
|
credentials.auth_provider_type,
|
|
|
|
|
credentials.auth_provider_id,
|
|
|
|
|
)
|
2018-07-13 13:31:20 +00:00
|
|
|
return self._providers.get(auth_provider_key)
|
2018-07-15 18:46:15 +00:00
|
|
|
|
2018-08-16 20:25:41 +00:00
|
|
|
async def _user_should_be_owner(self) -> bool:
|
2018-07-15 18:46:15 +00:00
|
|
|
"""Determine if user should be owner.
|
|
|
|
|
|
|
|
|
|
A user should be an owner if it is the first non-system user that is
|
|
|
|
|
being created.
|
|
|
|
|
"""
|
|
|
|
|
for user in await self._store.async_get_users():
|
|
|
|
|
if not user.system_generated:
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
return True
|
