Mercurial Repository: p/roundup/code: scripts/oauth-get-token.py comparison

comparison scripts/oauth-get-token.py @ 7090:8cda8e05c9a0

Update oauth-get-token script Detect if the redirect URI is http or https, additional options to force tls or force no tls. More documentation on default certificat/key plus add options to set cert- and keyfile.

author	Ralf Schlatterbeck <rsc@runtux.com>
date	Wed, 30 Nov 2022 15:41:24 +0100
parents	8d9a6063cb22
children	b26207712c2b

comparison

equal deleted inserted replaced

-:4d7977d51a4e
+:8cda8e05c9a0
 self.args    = args
 self.session = requests.session ()
 self.url     = '/'.join ((args.url.rstrip ('/'), args.tenant))
 self.url     = '/'.join ((self.url, 'oauth2/v2.0'))
 self.state   = None
+self.use_tls = self.args.use_tls
+if self.use_tls is None:
+self.use_tls = self.args.redirect_uri.startswith ('https')
 # end def __init__
 def check_err (self, r):
 if not 200 <= r.status_code <= 299:
 raise RuntimeError \
 self.wfile.flush ()
 port  = self.args.https_server_port
 httpd = HTTPServer (('localhost', port), RQ_Handler)
-httpd.socket = ssl.wrap_socket \
+if self.use_tls:
-( httpd.socket
+httpd.socket = ssl.wrap_socket \
-, keyfile     = "/etc/ssl/private/ssl-cert-snakeoil.key"
+( httpd.socket
-, certfile    = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+, keyfile     = self.args.keyfile
-, server_side = True
+, certfile    = self.args.certfile
-)
+, server_side = True
+)
 while not self.request_received:
 httpd.handle_request ()
 # end def https_server
 put the client id (also called application id) into the file
 'oauth/client_id' and the corresponding secret into the file
 'oauth/client_secret'.
 By default calling the script with no arguments, the whole process is
-automatic, but you may want to specify the tenant explicitly using:
+automatic. Note that the default TLS key used for the built-in server is
+a self-signed certificate which is automatically created on Debian-based
+(including Ubuntu) Linux distributions. But the key-file is not readable
+for everyone, you need to be in the group 'ssl-cert' or need otherwise
+elevated privileges. If you're using a http (as opposed to https)
+redirect URI, of course no TLS files are needed. You may want to specify
+the tenant explicitly using:
 ./oauth-get-token.py -t $TENANT
 Specifying the tenant explicitly will select the customized company
 login form directly.
 def main ():
 cmd = ArgumentParser \
 (epilog=epilog, formatter_class=RawDescriptionHelpFormatter)
 cmd.add_argument \
-( '-T', '--request-token'
-, help    = "Run only the token-request step"
-, action  = 'store_true'
-)
-cmd.add_argument \
 ( '-b', '--browser'
 , help    = "Use non-default browser"
+)
+cmd.add_argument \
+( '--certfile'
+, help    = "TLS certificate file, default=%(default)s"
+, default = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+)
+cmd.add_argument \
+( '--keyfile'
+, help    = "TLS key file, default=%(default)s"
+, default = "/etc/ssl/private/ssl-cert-snakeoil.key"
 )
 cmd.add_argument \
 ( '-n', '--dont-request-tokens'
 , dest    = 'request_tokens'
 , help    = "Do not request tokens, just write authcode"
 "to transmit auth code via GET request"
 , action  = 'store_false'
 , default = True
 )
 cmd.add_argument \
+( '-T', '--request-token'
+, help    = "Run only the token-request step"
+, action  = 'store_true'
+)
+cmd.add_argument \
 ( '-t', '--tenant'
 , help    = "Tenant part of url, default=%(default)s"
 , default = 'organizations'
+)
+cmd.add_argument \
+( '--use-tls'
+, help    = "Enforce use of TLS even if the redirect uri is http"
+, action  = 'store_true'
+, default = None
+)
+cmd.add_argument \
+( '--no-use-tls', '--dont-use-tls'
+, help    = "Disable use of TLS even if the redirect uri is https"
+, dest    = 'use_tls'
+, action  = 'store_false'
+, default = None
 )
 cmd.add_argument \
 ( '-u', '--url'
 , help    = "Base url for requests, default=%(default)s"
 , default = 'https://login.microsoftonline.com'

Mercurial > p > roundup > code

comparison scripts/oauth-get-token.py @ 7090:8cda8e05c9a0