[ADD] webservice_base_oauth

Author: dreispt

webservice_base_oauth/README.rst

@@ -0,0 +1,87 @@
+=================================
+OAUth support for WebService Base
+=================================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:d31af855b383e1b4377ce1a4b848c05c8f9241bc0a3f1525de0e12aa8abaf552
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Production%2FStable-green.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Production/Stable
+.. |badge2| image:: https://img.shields.io/badge/licence-LGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html
+    :alt: License: LGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fweb--api-lightgray.png?logo=github
+    :target: https://github.com/OCA/web-api/tree/18.0/webservice_base_oauth
+    :alt: OCA/web-api
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/web-api-18-0/web-api-18-0-webservice_base_oauth
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/web-api&target_branch=18.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+Extends the Webservice framework to add OAuth support.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/web-api/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/web-api/issues/new?body=module:%20webservice_base_oauth%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Creu Blanca
+* Camptocamp
+
+Contributors
+------------
+
+-  Enric Tobella <etobella@creublanca.es>
+-  Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
+-  Daniel Reis <dreis@opensourceintegrators.com>
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+.. |maintainer-etobella| image:: https://github.com/etobella.png?size=40px
+    :target: https://github.com/etobella
+    :alt: etobella
+
+Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
+
+|maintainer-etobella| 
+
+This module is part of the `OCA/web-api <https://github.com/OCA/web-api/tree/18.0/webservice_base_oauth>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

webservice_base_oauth/__init__.py

@@ -0,0 +1,2 @@
+from . import controllers
+from . import models

webservice_base_oauth/__manifest__.py

@@ -0,0 +1,18 @@
+# Copyright 2020 Creu Blanca
+# Copyright 2022 Camptocamp SA
+# @author Simone Orsi <simahawk@gmail.com>
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+
+{
+    "name": "OAUth support for WebService Base",
+    "summary": "Adds OAuth support to webservice backends",
+    "version": "18.0.1.1.0",
+    "license": "LGPL-3",
+    "development_status": "Production/Stable",
+    "maintainers": ["etobella"],
+    "author": "Creu Blanca, Camptocamp, Odoo Community Association (OCA)",
+    "website": "https://github.com/OCA/web-api",
+    "depends": ["webservice_base"],
+    "external_dependencies": {"python": ["requests-oauthlib", "oauthlib", "responses"]},
+    "data": ["views/webservice_backend.xml"],
+}

webservice_base_oauth/controllers/__init__.py

@@ -0,0 +1 @@
+from . import oauth2

webservice_base_oauth/controllers/oauth2.py

@@ -0,0 +1,63 @@
+# Copyright 2024 Camptocamp SA
+# @author Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+import json
+import logging
+
+from oauthlib.oauth2.rfc6749 import errors
+from werkzeug.urls import url_encode
+
+from odoo import http
+from odoo.http import request
+
+_logger = logging.getLogger(__name__)
+
+
+class OAuth2Controller(http.Controller):
+    @http.route(
+        "/webservice/<int:backend_id>/oauth2/redirect",
+        type="http",
+        auth="public",
+        csrf=False,
+    )
+    def redirect(self, backend_id, **params):
+        backend = request.env["webservice.backend"].browse(backend_id).sudo()
+        if backend.auth_type != "oauth2" or backend.oauth2_flow != "web_application":
+            _logger.error("unexpected backed config for backend %d", backend_id)
+            raise errors.MismatchingRedirectURIError()
+        expected_state = backend.oauth2_state
+        state = params.get("state")
+        if state != expected_state:
+            _logger.error("unexpected state: %s", state)
+            raise errors.MismatchingStateError()
+        code = params.get("code")
+        adapter = (
+            backend._get_adapter()
+        )  # we expect an adapter that supports web_application
+        token = adapter.fetch_token_from_authorization(code)
+        backend.write(
+            {
+                "oauth2_token": json.dumps(token),
+                "oauth2_state": False,
+            }
+        )
+        # after saving the token, redirect to the backend form view
+        uid = request.session.uid
+        user = request.env["res.users"].sudo().browse(uid)
+        cids = request.httprequest.cookies.get("cids", str(user.company_id.id))
+        cids = [int(cid) for cid in cids.split(",")]
+        record_action = backend._get_access_action()
+        url_params = {
+            "model": backend._name,
+            "id": backend.id,
+            "active_id": backend.id,
+            "action": record_action.get("id"),
+        }
+        view_id = backend.get_formview_id()
+        if view_id:
+            url_params["view_id"] = view_id
+
+        if cids:
+            url_params["cids"] = ",".join([str(cid) for cid in cids])
+        url = f"/web?#{url_encode(url_params)}"
+        return request.redirect(url)

webservice_base_oauth/models/__init__.py

@@ -0,0 +1,2 @@
+from . import webservice_backend_oauth
+from . import webservice_request_adapter_oauth

webservice_base_oauth/models/webservice_backend_oauth.py

@@ -0,0 +1,74 @@
+# Copyright 2020 Creu Blanca
+# Copyright 2022 Camptocamp SA
+# @author Simone Orsi <simahawk@gmail.com>
+# @author Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+import logging
+
+from odoo import api, fields, models
+from odoo.tools import config
+
+_logger = logging.getLogger(__name__)
+
+
+class WebserviceBackend(models.Model):
+    _inherit = "webservice.backend"
+
+    auth_type = fields.Selection(selection_add=[("oauth2", "OAuth2")])
+    oauth2_flow = fields.Selection(
+        [
+            ("backend_application", "Backend Application (Client Credentials Grant)"),
+            ("web_application", "Web Application (Authorization Code Grant)"),
+        ],
+    )
+    oauth2_clientid = fields.Char(string="Client ID", auth_type="oauth2")
+    oauth2_client_secret = fields.Char(string="Client Secret", auth_type="oauth2")
+    oauth2_token_url = fields.Char(string="Token URL", auth_type="oauth2")
+    oauth2_authorization_url = fields.Char(string="Authorization URL")
+    oauth2_audience = fields.Char(
+        string="Audience"
+        # no auth_type because not required
+    )
+    oauth2_scope = fields.Char(help="scope of the the authorization")
+    oauth2_token = fields.Char(help="the OAuth2 token (serialized JSON)")
+    redirect_url = fields.Char(
+        compute="_compute_redirect_url",
+        help="The redirect URL to be used as part of the OAuth2 authorisation flow",
+    )
+    oauth2_state = fields.Char(
+        help="random key generated when authorization flow starts "
+        "to ensure that no CSRF attack happen"
+    )
+
+    def _get_adapter_protocol(self):
+        protocol = super()._get_adapter_protocol()
+        if self.auth_type.startswith("oauth2"):
+            protocol += f"+{self.auth_type}-{self.oauth2_flow}"
+        return protocol
+
+    @api.depends("auth_type", "oauth2_flow")
+    def _compute_redirect_url(self):
+        get_param = self.env["ir.config_parameter"].sudo().get_param
+        base_url = get_param("web.base.url")
+        if base_url.startswith("http://") and not config["test_enable"]:
+            _logger.warning(
+                "web.base.url is configured in http. Oauth2 requires using https"
+            )
+            base_url = base_url[len("http://") :]
+        if not base_url.startswith("https://"):
+            base_url = f"https://{base_url}"
+        for rec in self:
+            if rec.auth_type == "oauth2" and rec.oauth2_flow == "web_application":
+                rec.redirect_url = f"{base_url}/webservice/{rec.id}/oauth2/redirect"
+            else:
+                rec.redirect_url = False
+
+    def button_authorize(self):
+        _logger.info("Button OAuth2 Authorize")
+        authorize_url = self._get_adapter().redirect_to_authorize()
+        _logger.info("Redirecting to %s", authorize_url)
+        return {
+            "type": "ir.actions.act_url",
+            "url": authorize_url,
+            "target": "self",
+        }