o
    Df*D                     @   s@   d dl mZmZ d dlmZ G dd deZdd Zdd Zd	S )
    )urlparseis_valid_url)is_secure_transportc                   @   s  e Zd ZdZg dZdd Zdd Zdd Zd	d
 Zdd Z	dd Z
dd Zdd Zdd Zdd Zdd Zdd Zdd Zdd Zdd  Zd!d" Zd#d$ Zd%d& Zd'd( Zd)d* Zd+d, Zd-d. Zed/d0 Zed1d2 Zed3d4 Zed5d6 Zed7d8 Z d9d: Z!d;d< Z"d=S )>AuthorizationServerMetadatazDefine Authorization Server Metadata via `Section 2`_ in RFC8414_.

    .. _RFC8414: https://tools.ietf.org/html/rfc8414
    .. _`Section 2`: https://tools.ietf.org/html/rfc8414#section-2
    )issuerauthorization_endpointtoken_endpointjwks_uriregistration_endpointscopes_supportedresponse_types_supportedresponse_modes_supportedgrant_types_supported%token_endpoint_auth_methods_supported0token_endpoint_auth_signing_alg_values_supportedservice_documentationui_locales_supportedop_policy_uri
op_tos_urirevocation_endpoint*revocation_endpoint_auth_methods_supported5revocation_endpoint_auth_signing_alg_values_supportedintrospection_endpoint-introspection_endpoint_auth_methods_supported8introspection_endpoint_auth_signing_alg_values_supported code_challenge_methods_supportedc                 C   sH   |  d}|stdt|}t|std|js|jr"tddS )zREQUIRED. The authorization server's issuer identifier, which is
        a URL that uses the "https" scheme and has no query or fragment
        components.
        r   z"issuer" is requiredz "issuer" MUST use "https" schemez!"issuer" has no query or fragmentN)get
ValueErrorr   r   queryfragment)selfr   parsed r"   V/home/ubuntu/webapp/venv/lib/python3.10/site-packages/authlib/oauth2/rfc8414/models.pyvalidate_issuer   s   

z+AuthorizationServerMetadata.validate_issuerc                 C   sH   |  d}|rt|stddS t| j}ddh}||@ r"tddS )zURL of the authorization server's authorization endpoint
        [RFC6749]. This is REQUIRED unless no grant types are supported
        that use the authorization endpoint.
        r   z0"authorization_endpoint" MUST use "https" schemeNauthorization_codeimplicitz$"authorization_endpoint" is required)r   r   r   setr   )r    urlr   authorization_grant_typesr"   r"   r#   validate_authorization_endpoint0   s   

z;AuthorizationServerMetadata.validate_authorization_endpointc                 C   sT   |  d}|rt|dkr|d dkrdS |  d}|s tdt|s(tddS )	zURL of the authorization server's token endpoint [RFC6749]. This
        is REQUIRED unless only the implicit grant type is supported.
        r      r   r&   Nr   z"token_endpoint" is requiredz("token_endpoint" MUST use "https" scheme)r   lenr   r   )r    r   r(   r"   r"   r#   validate_token_endpointA   s   

z3AuthorizationServerMetadata.validate_token_endpointc                 C   &   |  d}|rt|stddS dS )al  OPTIONAL.  URL of the authorization server's JWK Set [JWK]
        document.  The referenced document contains the signing key(s) the
        client uses to validate signatures from the authorization server.
        This URL MUST use the "https" scheme.  The JWK Set MAY also
        contain the server's encryption key or keys, which are used by
        clients to encrypt requests to the server.  When both signing and
        encryption keys are made available, a "use" (public key use)
        parameter value is REQUIRED for all keys in the referenced JWK Set
        to indicate each key's intended usage.
        r	   z""jwks_uri" MUST use "https" schemeNr   r   r   r    r(   r"   r"   r#   validate_jwks_uriQ      
z-AuthorizationServerMetadata.validate_jwks_uric                 C   r.   )zwOPTIONAL.  URL of the authorization server's OAuth 2.0 Dynamic
        Client Registration endpoint [RFC7591].
        r
   z/"registration_endpoint" MUST use "https" schemeNr/   r0   r"   r"   r#   validate_registration_endpoint`      
z:AuthorizationServerMetadata.validate_registration_endpointc                 C      t | d dS )zRECOMMENDED. JSON array containing a list of the OAuth 2.0
        [RFC6749] "scope" values that this authorization server supports.
        Servers MAY choose not to advertise some supported scope values
        even when this parameter is used.
        r   Nvalidate_array_valuer    r"   r"   r#   validate_scopes_supportedi      z5AuthorizationServerMetadata.validate_scopes_supportedc                 C   s,   |  d}|stdt|tstddS )a=  REQUIRED.  JSON array containing a list of the OAuth 2.0
        "response_type" values that this authorization server supports.
        The array values used are the same as those used with the
        "response_types" parameter defined by "OAuth 2.0 Dynamic Client
        Registration Protocol" [RFC7591].
        r   z&"response_types_supported" is requiredz-"response_types_supported" MUST be JSON arrayN)r   r   
isinstancelist)r    r   r"   r"   r#   !validate_response_types_supportedq   s   

z=AuthorizationServerMetadata.validate_response_types_supportedc                 C   r5   )a  OPTIONAL.  JSON array containing a list of the OAuth 2.0
        "response_mode" values that this authorization server supports, as
        specified in "OAuth 2.0 Multiple Response Type Encoding Practices"
        [OAuth.Responses].  If omitted, the default is "["query",
        "fragment"]".  The response mode value "form_post" is also defined
        in "OAuth 2.0 Form Post Response Mode" [OAuth.Post].
        r   Nr6   r8   r"   r"   r#   !validate_response_modes_supported~      z=AuthorizationServerMetadata.validate_response_modes_supportedc                 C   r5   )a  OPTIONAL. JSON array containing a list of the OAuth 2.0 grant
        type values that this authorization server supports.  The array
        values used are the same as those used with the "grant_types"
        parameter defined by "OAuth 2.0 Dynamic Client Registration
        Protocol" [RFC7591].  If omitted, the default value is
        "["authorization_code", "implicit"]".
        r   Nr6   r8   r"   r"   r#   validate_grant_types_supported   r?   z:AuthorizationServerMetadata.validate_grant_types_supportedc                 C   r5   )a  OPTIONAL.  JSON array containing a list of client authentication
        methods supported by this token endpoint.  Client authentication
        method values are used in the "token_endpoint_auth_method"
        parameter defined in Section 2 of [RFC7591].  If omitted, the
        default is "client_secret_basic" -- the HTTP Basic Authentication
        Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
        r   Nr6   r8   r"   r"   r#   .validate_token_endpoint_auth_methods_supported   r?   zJAuthorizationServerMetadata.validate_token_endpoint_auth_methods_supportedc                 C      t | d| j dS )au  OPTIONAL.  JSON array containing a list of the JWS signing
        algorithms ("alg" values) supported by the token endpoint for the
        signature on the JWT [JWT] used to authenticate the client at the
        token endpoint for the "private_key_jwt" and "client_secret_jwt"
        authentication methods.  This metadata entry MUST be present if
        either of these authentication methods are specified in the
        "token_endpoint_auth_methods_supported" entry.  No default
        algorithms are implied if this entry is omitted.  Servers SHOULD
        support "RS256".  The value "none" MUST NOT be used.
        r   N)_validate_alg_valuesr   r8   r"   r"   r#   9validate_token_endpoint_auth_signing_alg_values_supported   
   zUAuthorizationServerMetadata.validate_token_endpoint_auth_signing_alg_values_supportedc                 C   r.   )ap  OPTIONAL. URL of a page containing human-readable information
        that developers might want or need to know when using the
        authorization server.  In particular, if the authorization server
        does not support Dynamic Client Registration, then information on
        how to register clients needs to be provided in this
        documentation.
        r   z%"service_documentation" MUST be a URLNr   r   r   r    valuer"   r"   r#   validate_service_documentation   s   
z:AuthorizationServerMetadata.validate_service_documentationc                 C   r5   )zOPTIONAL.  Languages and scripts supported for the user interface,
        represented as a JSON array of language tag values from BCP 47
        [RFC5646].  If omitted, the set of supported languages and scripts
        is unspecified.
        r   Nr6   r8   r"   r"   r#   validate_ui_locales_supported   r:   z9AuthorizationServerMetadata.validate_ui_locales_supportedc                 C   r.   )aj  OPTIONAL.  URL that the authorization server provides to the
        person registering the client to read about the authorization
        server's requirements on how the client can use the data provided
        by the authorization server.  The registration process SHOULD
        display this URL to the person registering the client if it is
        given.  As described in Section 5, despite the identifier
        "op_policy_uri" appearing to be OpenID-specific, its usage in this
        specification is actually referring to a general OAuth 2.0 feature
        that is not specific to OpenID Connect.
        r   z"op_policy_uri" MUST be a URLNrF   rG   r"   r"   r#   validate_op_policy_uri   r2   z2AuthorizationServerMetadata.validate_op_policy_uric                 C   r.   )a  OPTIONAL.  URL that the authorization server provides to the
        person registering the client to read about the authorization
        server's terms of service.  The registration process SHOULD
        display this URL to the person registering the client if it is
        given.  As described in Section 5, despite the identifier
        "op_tos_uri", appearing to be OpenID-specific, its usage in this
        specification is actually referring to a general OAuth 2.0 feature
        that is not specific to OpenID Connect.
        r   z"op_tos_uri" MUST be a URLNrF   rG   r"   r"   r#   validate_op_tos_uri   s   

z/AuthorizationServerMetadata.validate_op_tos_uric                 C   r.   )z\OPTIONAL. URL of the authorization server's OAuth 2.0 revocation
        endpoint [RFC7009].r   z-"revocation_endpoint" MUST use "https" schemeNr/   r0   r"   r"   r#   validate_revocation_endpoint   s   
z8AuthorizationServerMetadata.validate_revocation_endpointc                 C   r5   )a  OPTIONAL.  JSON array containing a list of client authentication
        methods supported by this revocation endpoint.  The valid client
        authentication method values are those registered in the IANA
        "OAuth Token Endpoint Authentication Methods" registry
        [IANA.OAuth.Parameters].  If omitted, the default is
        "client_secret_basic" -- the HTTP Basic Authentication Scheme
        specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
        r   Nr6   r8   r"   r"   r#   3validate_revocation_endpoint_auth_methods_supported   s   	zOAuthorizationServerMetadata.validate_revocation_endpoint_auth_methods_supportedc                 C   rB   )ac  OPTIONAL.  JSON array containing a list of the JWS signing
        algorithms ("alg" values) supported by the revocation endpoint for
        the signature on the JWT [JWT] used to authenticate the client at
        the revocation endpoint for the "private_key_jwt" and
        "client_secret_jwt" authentication methods.  This metadata entry
        MUST be present if either of these authentication methods are
        specified in the "revocation_endpoint_auth_methods_supported"
        entry.  No default algorithms are implied if this entry is
        omitted.  The value "none" MUST NOT be used.
        r   N)rC   r   r8   r"   r"   r#   >validate_revocation_endpoint_auth_signing_alg_values_supported   rE   zZAuthorizationServerMetadata.validate_revocation_endpoint_auth_signing_alg_values_supportedc                 C   r.   )ziOPTIONAL.  URL of the authorization server's OAuth 2.0
        introspection endpoint [RFC7662].
        r   z0"introspection_endpoint" MUST use "https" schemeNr/   r0   r"   r"   r#   validate_introspection_endpoint  r4   z;AuthorizationServerMetadata.validate_introspection_endpointc                 C   r5   )aU  OPTIONAL.  JSON array containing a list of client authentication
        methods supported by this introspection endpoint.  The valid
        client authentication method values are those registered in the
        IANA "OAuth Token Endpoint Authentication Methods" registry
        [IANA.OAuth.Parameters] or those registered in the IANA "OAuth
        Access Token Types" registry [IANA.OAuth.Parameters].  (These
        values are and will remain distinct, due to Section 7.2.)  If
        omitted, the set of supported authentication methods MUST be
        determined by other means.
        r   Nr6   r8   r"   r"   r#   6validate_introspection_endpoint_auth_methods_supported
  s   zRAuthorizationServerMetadata.validate_introspection_endpoint_auth_methods_supportedc                 C   rB   )al  OPTIONAL.  JSON array containing a list of the JWS signing
        algorithms ("alg" values) supported by the introspection endpoint
        for the signature on the JWT [JWT] used to authenticate the client
        at the introspection endpoint for the "private_key_jwt" and
        "client_secret_jwt" authentication methods.  This metadata entry
        MUST be present if either of these authentication methods are
        specified in the "introspection_endpoint_auth_methods_supported"
        entry.  No default algorithms are implied if this entry is
        omitted.  The value "none" MUST NOT be used.
        r   N)rC   r   r8   r"   r"   r#   Avalidate_introspection_endpoint_auth_signing_alg_values_supported  rE   z]AuthorizationServerMetadata.validate_introspection_endpoint_auth_signing_alg_values_supportedc                 C   r5   )a  OPTIONAL.  JSON array containing a list of Proof Key for Code
        Exchange (PKCE) [RFC7636] code challenge methods supported by this
        authorization server.  Code challenge method values are used in
        the "code_challenge_method" parameter defined in Section 4.3 of
        [RFC7636].  The valid code challenge method values are those
        registered in the IANA "PKCE Code Challenge Methods" registry
        [IANA.OAuth.Parameters].  If omitted, the authorization server
        does not support PKCE.
        r   Nr6   r8   r"   r"   r#   )validate_code_challenge_methods_supported(  s   
zEAuthorizationServerMetadata.validate_code_challenge_methods_supportedc                 C      |  dddgS )Nr   r   r   r   r8   r"   r"   r#   r   4     z4AuthorizationServerMetadata.response_modes_supportedc                 C   rT   )Nr   r%   r&   rU   r8   r"   r"   r#   r   9  rV   z1AuthorizationServerMetadata.grant_types_supportedc                 C      |  ddgS )Nr   client_secret_basicrU   r8   r"   r"   r#   r   >     zAAuthorizationServerMetadata.token_endpoint_auth_methods_supportedc                 C   rW   )Nr   rX   rU   r8   r"   r"   r#   r   C  rY   zFAuthorizationServerMetadata.revocation_endpoint_auth_methods_supportedc                 C   rW   )Nr   rX   rU   r8   r"   r"   r#   r   H  s   zIAuthorizationServerMetadata.introspection_endpoint_auth_methods_supportedc                 C   s$   | j D ]}t| d|   qdS )z#Validate all server metadata value.	validate_N)REGISTRY_KEYSobject__getattribute__)r    keyr"   r"   r#   validateO  s   
z$AuthorizationServerMetadata.validatec              
   C   sL   zt | |W S  ty% } z|| jv r| |W  Y d }~S |d }~ww )N)r\   r]   AttributeErrorr[   r   )r    r^   errorr"   r"   r#   __getattr__T  s   
z'AuthorizationServerMetadata.__getattr__N)#__name__
__module____qualname____doc__r[   r$   r*   r-   r1   r3   r9   r=   r>   r@   rA   rD   rI   rJ   rK   rL   rM   rN   rO   rP   rQ   rR   rS   propertyr   r   r   r   r   r_   rb   r"   r"   r"   r#   r      sJ    	


	




r   c                 C   sx   |  |}|rt|tstd| dt|}ddh}||@ r*|s*td| d|r8d|v r:td| dd S d S )N"" MUST be JSON arrayprivate_key_jwtclient_secret_jwtz" is requirednonez&the value "none" MUST NOT be used in ")r   r;   r<   r   r'   )datar^   auth_methods_supportedrH   auth_methodsjwt_auth_methodsr"   r"   r#   rC   ]  s   

rC   c                 C   s4   |  |}|d urt|tstd| dd S d S )Nrh   ri   )r   r;   r<   r   )metadatar^   valuesr"   r"   r#   r7   m  s   
r7   N)	authlib.common.urlsr   r   authlib.common.securityr   dictr   rC   r7   r"   r"   r"   r#   <module>   s      Z