Add token adapter/interface mechanism

lasley · lasley · commit 7a6d879fb9a6 · 2017-10-11T11:44:30.000-07:00
diff --git a/base_web_hook/controllers/main.py b/base_web_hook/controllers/main.py
@@ -14,4 +14,4 @@ class WebHookController(http.Controller):
     )
     def receive(self, slug, **kwargs):
         hook = self.env['web.hook'].search_by_slug(slug)
-        return hook.receive(kwargs)
+        return hook.receive(kwargs, http.request.httprequest.get_data())
diff --git a/base_web_hook/models/__init__.py b/base_web_hook/models/__init__.py
@@ -3,4 +3,6 @@
 
 from . import web_hook
 from . import web_hook_adapter
-from . import web_hook_generic
+from . import web_hook_token
+from . import web_hook_token_adapter
+from . import web_hook_token_plain
diff --git a/base_web_hook/models/web_hook.py b/base_web_hook/models/web_hook.py
@@ -4,7 +4,9 @@
 
 import logging
 
-from odoo import api, fields, models
+from werkzeug.exceptions import Unauthorized
+
+from odoo import api, fields, models, _
 
 _logger = logging.getLogger(__name__)
 
@@ -37,6 +39,10 @@ class WebHook(models.Model):
         help='This is the URI that is used to call the web hook externally.',
         compute='_compute_uri',
     )
+    token_id = fields.Many2one(
+        string='Token',
+        comodel_name='web.hook.token',
+    )
 
     @api.model
     def _get_interface_types(self):
@@ -72,20 +78,30 @@ def search_by_slug(self, slug):
         return self.browse(record_id)
 
     @api.multi
-    def receive(self, data=None):
+    def receive(self, data=None, data_string=None):
         """This method is used to receive a web hook.
 
-        It simply passes the received data to the underlying interface's
-        ``receive`` method for processing, and returns the result. The
-        result returned by the interface must be JSON serializable.
+        First it extracts the token, then validates using ``token.validate``
+        and raises as ``Unauthorized`` if it is invalid. It then passes the
+        received data to the underlying interface's ``receive`` method for
+        processing, and returns the result. The result returned by the
+        interface must be JSON serializable.
 
         Args:
-            data (dict, optional): Data to pass to the hook's ``receive``
-                method.
+            data (dict, optional): Parsed data that was received in the
+                request.
+            data_string (str, optional): The raw data that was received in the
+                request body.
 
         Returns:
             mixed: A JSON serializable return from the interface's
                 ``receive`` method.
         """
         self.ensure_one()
-        return self.interface.receive()
+        token = self.interface.extract_token(data)
+        if not self.token_id.validate(token, data, data_string):
+            raise Unauthorized(_(
+                'The request could not be processed: '
+                'An invalid token was received.'
+            ))
+        return self.interface.receive(data)
diff --git a/base_web_hook/models/web_hook_adapter.py b/base_web_hook/models/web_hook_adapter.py
@@ -32,3 +32,16 @@ def receive(self, data=None):
             mixed: A JSON serializable return, or ``None``.
         """
         raise NotImplementedError()
+
+    @api.multi
+    def extract_token(self, data=None):
+        """Extract the token from the data and return it.
+
+        Args:
+            data (dict, optional): Data that was received with the hook.
+
+        Returns:
+            mixed: The token data. Should be compatible with the hook's token
+                interface (the ``token`` parameter of ``token_id.validate``).
+        """
+        raise NotImplementedError()
diff --git a/base_web_hook/models/web_hook_generic.py b/base_web_hook/models/web_hook_generic.py
diff --git a/base_web_hook/models/web_hook_token.py b/base_web_hook/models/web_hook_token.py
@@ -0,0 +1,82 @@
+# -*- coding: utf-8 -*-
+# Copyright 2017 LasLabs Inc.
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+
+import random
+import string
+
+from odoo import api, fields, models
+
+
+class WebHookToken(models.Model):
+    """This represents a generic token for use in a secure web hook exchange.
+
+    It serves as an interface for token adapters. No logic should need to be
+    added to this model in inherited modules.
+    """
+
+    _name = 'web.hook.token'
+    _description = 'Web Hook Token'
+
+    hook_id = fields.Many2one(
+        string='Hook',
+        comodel_name='web.hook',
+        required=True,
+        ondelete='cascade',
+    )
+    token = fields.Reference(
+        selection='_get_token_types',
+        readonly=True,
+        help='This is the token used for hook authentication. It is '
+             'created automatically upon creation of the web hook, and '
+             'is also deleted with it.',
+    )
+    token_type = fields.Selection(
+        selection='_get_token_types',
+        required=True,
+    )
+    secret = fields.Char(
+        help='This is the secret that is configured for the token exchange. '
+             'This configuration is typically performed when setting the '
+             'token up in the remote system. For ease, a secure random value '
+             'has been provided as a default.',
+        default=lambda s: s._default_secret(),
+    )
+
+    @api.model
+    def _get_token_types(self):
+        """Return the web hook token interface models that are installed."""
+        adapter = self.env['web.hook.token.adapter']
+        return [
+            (m, self.env[m]._description) for m in adapter._inherit_children
+        ]
+
+    @api.model
+    def _default_secret(self, length=254):
+        characters = string.printable.split()[0]
+        return ''.join(
+            random.choice(characters) for _ in range(length)
+        )
+
+    @api.multi
+    def validate(self, token, data=None, data_string=None):
+        """This method is used to validate a web hook.
+
+        It simply passes the received data to the underlying token's
+        ``validate`` method for processing, and returns the result.
+
+        Args:
+            token (mixed): The "secure" token string that should be validated
+                against the dataset. Typically a string.
+            data (dict, optional): Parsed data that was received with the
+                request.
+            data_string (str, optional): Raw form data that was received in
+                the request. This is useful for computation of hashes, because
+                Python dictionaries do not maintain sort order and thus are
+                useless for crypto.
+
+        Returns:
+            bool: If the token is valid or not.
+        """
+        self.ensure_one()
+        return self.token.validate(token, data, data_string)
diff --git a/base_web_hook/models/web_hook_token_adapter.py b/base_web_hook/models/web_hook_token_adapter.py
@@ -0,0 +1,41 @@
+# -*- coding: utf-8 -*-
+# Copyright 2017 LasLabs Inc.
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+
+from odoo import api, fields, models
+
+
+class WebHookTokenAdapter(models.AbstractModel):
+    """This should be inherited by all token interfaces."""
+
+    _name = 'web.hook.token.adapter'
+    _description = 'Web Hook Token Adapter'
+
+    token_id = fields.Many2one(
+        string='Token',
+        comodel_name='web.hook.token',
+        required=True,
+        ondelete='cascade',
+    )
+
+    @api.multi
+    def validate(self, token_string, data, data_string):
+        """Return ``True`` if the token is valid. Otherwise, ``False``.
+
+        Child models should inherit this method to provide token validation
+        logic.
+
+        Args:
+            token_string (str): The "secure" token string that should be
+                validated against the dataset.
+            data (dict, optional): Parsed data that was received with the
+                request.
+            data_string (str, optional): Raw form data that was received in
+                the request. This is useful for computation of hashes, because
+                Python dictionaries do not maintain sort order and thus are
+                useless for crypto.
+
+        Returns:
+            bool: If the token is valid or not.
+        """
+        raise NotImplementedError()
diff --git a/base_web_hook/models/web_hook_token_plain.py b/base_web_hook/models/web_hook_token_plain.py
@@ -0,0 +1,19 @@
+# -*- coding: utf-8 -*-
+# Copyright 2017 LasLabs Inc.
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+
+from odoo import api, fields, models
+
+
+class WebHookTokenPlain(models.Model):
+    """This is a plain text token."""
+
+    _name = 'web.hook.token.plain'
+    _inherit = 'web.hook.token.adapter'
+    _description = 'Web Hook Token - Plain'
+
+    @api.multi
+    def validate(self, token_string, _, _):
+        """Return ``True`` if the received token is the same as configured.
+        """
+        return token_string == self.token_id.secret
diff --git a/base_web_hook/models/website.py b/base_web_hook/models/website.py
@@ -0,0 +1,12 @@
+# -*- coding: utf-8 -*-
+# Copyright 2017 LasLabs Inc.
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+
+from odoo import api, fields, models
+
+
+class Website(models.Model):
+    _inherit = 'website'
+
+
+

Original file line number	Diff line number	Diff line change
`@@ -14,4 +14,4 @@ class WebHookController(http.Controller):`
`14`	`14`	`)`
`15`	`15`	`def receive(self, slug, **kwargs):`
`16`	`16`	`hook = self.env['web.hook'].search_by_slug(slug)`
`17`		`- return hook.receive(kwargs)`
	`17`	`+ return hook.receive(kwargs, http.request.httprequest.get_data())`