Beispiel #1
0
def authorized():
    app = xinniuren_remote_app()
    resp = app.authorized_response()
    access_token = resp['access_token']

    if access_token is None:
        logger.warning("Access token missing in call back request.")
        flash("Validation error. Please retry.")
        return redirect(url_for('redash.login'))

    profile = get_user_profile(access_token)
    if profile is None:
        flash("Validation error. Please retry.")
        return redirect(url_for('redash.login'))

    if 'org_slug' in session:
        org = models.Organization.get_by_slug(session.pop('org_slug'))
    else:
        org = current_org

    if not verify_profile(org, profile):
        logger.warning("User tried to login with unauthorized domain name: %s (org: %s)", profile['Email'], org)
        flash("Your Google Apps account ({}) isn't allowed.".format(profile['Email']))
        return redirect(url_for('redash.login', org_slug=org.slug))

    # picture_url = "%s?sz=40" % profile['picture']
    picture_url = "/static/images/avatar.svg"
    user = create_and_login_user(org, profile['UserName'], profile['Email'], picture_url)
    if user is None:
        return logout_and_redirect_to_index()

    unsafe_next_path = request.args.get('state') or url_for("redash.index", org_slug=org.slug)
    next_path = get_next_path(unsafe_next_path)

    return redirect(next_path)
Beispiel #2
0
def login(org_slug=None):
    unsafe_next_path = request.args.get('next')
    next_path = get_next_path(unsafe_next_path)

    if not settings.REMOTE_USER_LOGIN_ENABLED:
        logger.error("Cannot use remote user for login without being enabled in settings")
        return redirect(url_for('redash.index', next=next_path, org_slug=org_slug))

    email = request.headers.get(settings.REMOTE_USER_HEADER)

    # Some Apache auth configurations will, stupidly, set (null) instead of a
    # falsey value.  Special case that here so it Just Works for more installs.
    # '(null)' should never really be a value that anyone wants to legitimately
    # use as a redash user email.
    if email == '(null)':
        email = None

    if not email:
        logger.error("Cannot use remote user for login when it's not provided in the request (looked in headers['" + settings.REMOTE_USER_HEADER + "'])")
        return redirect(url_for('redash.index', next=next_path, org_slug=org_slug))

    logger.info("Logging in " + email + " via remote user")

    user = create_and_login_user(current_org, email, email)
    if user is None:
        return logout_and_redirect_to_index()

    return redirect(next_path or url_for('redash.index', org_slug=org_slug), code=302)
Beispiel #3
0
def login(org_slug=None):
    unsafe_next_path = request.args.get('next')
    next_path = get_next_path(unsafe_next_path)

    if not settings.REMOTE_USER_LOGIN_ENABLED:
        logger.error(
            "Cannot use remote user for login without being enabled in settings"
        )
        return redirect(
            url_for('redash.index', next=next_path, org_slug=org_slug))

    email = request.headers.get(settings.REMOTE_USER_HEADER)

    # Some Apache auth configurations will, stupidly, set (null) instead of a
    # falsey value.  Special case that here so it Just Works for more installs.
    # '(null)' should never really be a value that anyone wants to legitimately
    # use as a redash user email.
    if email == '(null)':
        email = None

    if not email:
        logger.error(
            "Cannot use remote user for login when it's not provided in the request (looked in headers['"
            + settings.REMOTE_USER_HEADER + "'])")
        return redirect(
            url_for('redash.index', next=next_path, org_slug=org_slug))

    logger.info("Logging in " + email + " via remote user")

    user = create_and_login_user(current_org, email, email)
    if user is None:
        return logout_and_redirect_to_index()

    return redirect(next_path or url_for('redash.index', org_slug=org_slug),
                    code=302)
Beispiel #4
0
def login(org_slug=None):
    index_url = url_for("redash.index", org_slug=org_slug)
    unsafe_next_path = request.args.get('next', index_url)
    next_path = get_next_path(unsafe_next_path)

    if not settings.LDAP_LOGIN_ENABLED:
        logger.error("Cannot use LDAP for login without being enabled in settings")
        return redirect(url_for('redash.index', next=next_path))

    if current_user.is_authenticated:
        return redirect(next_path)

    if request.method == 'POST':
        ldap_user = auth_ldap_user(request.form['email'], request.form['password'])

        if ldap_user is not None:
            user = create_and_login_user(
                current_org,
                ldap_user[settings.LDAP_DISPLAY_NAME_KEY][0],
                ldap_user[settings.LDAP_EMAIL_KEY][0]
            )
            if user is None:
                return logout_and_redirect_to_index()

            return redirect(next_path or url_for('redash.index'))
        else:
            flash("Incorrect credentials.")

    return render_template("login.html",
                           org_slug=org_slug,
                           next=next_path,
                           email=request.form.get('email', ''),
                           show_password_login=True,
                           username_prompt=settings.LDAP_CUSTOM_USERNAME_PROMPT,
                           hide_forgot_password=True)
Beispiel #5
0
def login(org_slug=None):
    index_url = url_for("redash.index", org_slug=org_slug)
    unsafe_next_path = request.args.get('next', index_url)
    next_path = get_next_path(unsafe_next_path)

    if not settings.LDAP_LOGIN_ENABLED:
        logger.error("Cannot use LDAP for login without being enabled in settings")
        return redirect(url_for('redash.index', next=next_path))

    if current_user.is_authenticated:
        return redirect(next_path)

    if request.method == 'POST':
        ldap_user = auth_ldap_user(request.form['email'], request.form['password'])

        if ldap_user is not None:
            user = create_and_login_user(
                current_org,
                ldap_user[settings.LDAP_DISPLAY_NAME_KEY][0],
                ldap_user[settings.LDAP_EMAIL_KEY][0]
            )
            if user is None:
                return logout_and_redirect_to_index()

            return redirect(next_path or url_for('redash.index'))
        else:
            flash("Incorrect credentials.")

    return render_template("login.html",
                           org_slug=org_slug,
                           next=next_path,
                           email=request.form.get('email', ''),
                           show_password_login=True,
                           username_prompt=settings.LDAP_CUSTOM_USERNAME_PROMPT,
                           hide_forgot_password=True)
Beispiel #6
0
def authorized():
    resp = google_remote_app().authorized_response()
    access_token = resp['access_token']

    if access_token is None:
        logger.warning("Access token missing in call back request.")
        flash("Validation error. Please retry.")
        return redirect(url_for('redash.login'))

    profile = get_user_profile(access_token)
    if profile is None:
        flash("Validation error. Please retry.")
        return redirect(url_for('redash.login'))

    if 'org_slug' in session:
        org = models.Organization.get_by_slug(session.pop('org_slug'))
    else:
        org = current_org

    if not verify_profile(org, profile):
        logger.warning("User tried to login with unauthorized domain name: %s (org: %s)", profile['email'], org)
        flash("Your Google Apps account ({}) isn't allowed.".format(profile['email']))
        return redirect(url_for('redash.login', org_slug=org.slug))

    picture_url = "%s?sz=40" % profile['picture']
    user = create_and_login_user(org, profile['name'], profile['email'], picture_url)
    if user is None:
        return logout_and_redirect_to_index()

    unsafe_next_path = request.args.get('state') or url_for("redash.index", org_slug=org.slug)
    next_path = get_next_path(unsafe_next_path)

    return redirect(next_path)
Beispiel #7
0
def login(org_slug=None):
    # We intentionally use == as otherwise it won't actually use the proxy. So weird :O
    # noinspection PyComparisonWithNone
    if current_org == None and not settings.MULTI_ORG:
        return redirect("/setup")
    elif current_org == None:
        return redirect("/")

    index_url = url_for("redash.index", org_slug=org_slug)
    unsafe_next_path = request.args.get("next", index_url)
    next_path = get_next_path(unsafe_next_path)
    if current_user.is_authenticated:
        return redirect(next_path)


    if request.method == "POST" and current_org.get_setting("auth_password_login_enabled"):
        try:
            org = current_org._get_current_object()
            user = models.User.get_by_email_and_org(request.form["email"], org)
            if (
                user
                and not user.is_disabled
                and user.verify_password(request.form["password"])
            ):
                remember = "remember" in request.form
                login_user(user, remember=remember)
                return redirect(next_path)
            else:
                flash("电子邮箱或密码不正确。")
        except NoResultFound:
            flash("电子邮箱或密码不正确。")
    elif request.method == "POST" and not current_org.get_setting("auth_password_login_enabled"):
        flash("当前组织密码不正确。")



    google_auth_url = get_google_auth_url(next_path)

    return render_template(
        "login.html",
        org_slug=org_slug,
        next=next_path,
        email=request.form.get("email", ""),
        show_google_openid=settings.GOOGLE_OAUTH_ENABLED,
        google_auth_url=google_auth_url,
        show_password_login=current_org.get_setting("auth_password_login_enabled"),
        show_saml_login=current_org.get_setting("auth_saml_enabled"),
        show_remote_user_login=settings.REMOTE_USER_LOGIN_ENABLED,
        show_ldap_login=settings.LDAP_LOGIN_ENABLED,
    )
Beispiel #8
0
def redirect_login():
    """Automatically redirects from /login to /remote_user/login.
    """
    login_path = get_login_url(external=False, next=None)
    if (settings.REMOTE_USER_LOGIN_ENABLED and not request.is_xhr
            and request.path.startswith(login_path)):
        org_slug = current_org.slug
        index_url = url_for("redash.index", org_slug=org_slug)
        unsafe_next_path = request.args.get("next", index_url)
        next_path = get_next_path(unsafe_next_path)
        remote_login_url = url_for("remote_user_auth.login",
                                   next=next_path,
                                   org_slug=org_slug)
        return redirect(remote_login_url)
Beispiel #9
0
def login(org_slug=None):
    # We intentionally use == as otherwise it won't actually use the proxy. So weird :O
    # noinspection PyComparisonWithNone
    if current_org == None and not settings.MULTI_ORG:
        return redirect('/setup')
    elif current_org == None:
        return redirect('/')

    index_url = url_for('redash.index', org_slug=org_slug)
    unsafe_next_path = request.args.get('next', index_url)
    next_path = get_next_path(unsafe_next_path)
    if current_user.is_authenticated:
        return redirect(next_path)

    # support cas auth
    if settings.CAS_AUTH:
        org = current_org._get_current_object()
        remember = ('remember' in request.form)
        cas_auth(org, remember)
        return redirect(next_path)

    if request.method == 'POST':
        try:
            org = current_org._get_current_object()
            user = models.User.get_by_email_and_org(request.form['email'], org)
            if user and not user.is_disabled and user.verify_password(
                    request.form['password']):
                remember = ('remember' in request.form)
                login_user(user, remember=remember)
                return redirect(next_path)
            else:
                flash("Wrong email or password.")
        except NoResultFound:
            flash("Wrong email or password.")

    google_auth_url = get_google_auth_url(next_path)

    return render_template(
        "login.html",
        org_slug=org_slug,
        next=next_path,
        email=request.form.get('email', ''),
        show_google_openid=settings.GOOGLE_OAUTH_ENABLED,
        google_auth_url=google_auth_url,
        show_password_login=current_org.get_setting(
            'auth_password_login_enabled'),
        show_saml_login=current_org.get_setting('auth_saml_enabled'),
        show_remote_user_login=settings.REMOTE_USER_LOGIN_ENABLED,
        show_ldap_login=settings.LDAP_LOGIN_ENABLED)
Beispiel #10
0
    def authorized():

        logger.debug("Authorized user inbound")

        resp = oauth.google.authorize_access_token()
        user = resp.get("userinfo")
        if user:
            session["user"] = user

        access_token = resp["access_token"]

        if access_token is None:
            logger.warning("Access token missing in call back request.")
            flash("Validation error. Please retry.")
            return redirect(url_for("redash.login"))

        profile = get_user_profile(access_token)
        if profile is None:
            flash("Validation error. Please retry.")
            return redirect(url_for("redash.login"))

        if "org_slug" in session:
            org = models.Organization.get_by_slug(session.pop("org_slug"))
        else:
            org = current_org

        if not verify_profile(org, profile):
            logger.warning(
                "User tried to login with unauthorized domain name: %s (org: %s)",
                profile["email"],
                org,
            )
            flash("Your Google Apps account ({}) isn't allowed.".format(
                profile["email"]))
            return redirect(url_for("redash.login", org_slug=org.slug))

        picture_url = "%s?sz=40" % profile["picture"]
        user = create_and_login_user(org, profile["name"], profile["email"],
                                     picture_url)
        if user is None:
            return logout_and_redirect_to_index()

        unsafe_next_path = session.get("next_url") or url_for(
            "redash.index", org_slug=org.slug)
        next_path = get_next_path(unsafe_next_path)

        return redirect(next_path)
Beispiel #11
0
def login(org_slug=None):
    # We intentionally use == as otherwise it won't actually use the proxy. So weird :O
    # noinspection PyComparisonWithNone
    if current_org == None and not settings.MULTI_ORG:
        return redirect('/setup')
    elif current_org == None:
        return redirect('/')

    index_url = url_for('redash.index', org_slug=org_slug)
    unsafe_next_path = request.args.get('next', index_url)
    next_path = get_next_path(unsafe_next_path)
    if current_user.is_authenticated:
        return redirect(next_path)

    if request.method == 'POST':
        try:
            org = current_org._get_current_object()
            user = models.User.get_by_email_and_org(request.form['email'], org)
            if user and not user.is_disabled and user.verify_password(request.form['password']):
                remember = ('remember' in request.form)
                login_user(user, remember=remember)
                return redirect(next_path)
            else:
                flash("Wrong email or password.")
        except NoResultFound:
            flash("Wrong email or password.")

    google_auth_url = get_google_auth_url(next_path)

    return render_template("login.html",
                           org_slug=org_slug,
                           next=next_path,
                           email=request.form.get('email', ''),
                           show_google_openid=settings.GOOGLE_OAUTH_ENABLED,
                           google_auth_url=google_auth_url,
                           show_password_login=current_org.get_setting('auth_password_login_enabled'),
                           show_saml_login=current_org.get_setting('auth_saml_enabled'),
                           show_remote_user_login=settings.REMOTE_USER_LOGIN_ENABLED,
                           show_ldap_login=settings.LDAP_LOGIN_ENABLED)
Beispiel #12
0
def check_remote_groups():
    """Check if there is a header of user groups and if yes
    check it against a list of allowed user groups from the settings"""
    # Quick shortcut out if remote user auth or remote groups aren't enabled
    if (
        not settings.REMOTE_USER_LOGIN_ENABLED
        or not extension_settings.REMOTE_GROUPS_ENABLED
    ):
        return

    # Generate the URL to the remote auth login endpoint
    if settings.MULTI_ORG:
        org = current_org._get_current_object()
        remote_auth_path = url_for("remote_user_auth.login", org_slug=org.slug)
    else:
        remote_auth_path = url_for("remote_user_auth.login")

    # Then only act if the request is for the remote user auth view
    if request.path.startswith(remote_auth_path):
        remote_groups = settings.set_from_string(
            request.headers.get(extension_settings.REMOTE_GROUPS_HEADER) or ""
        )
        # Finally check if the remote groups found in the request header
        # intersect with the allowed remote groups
        if not extension_settings.REMOTE_GROUPS_ALLOWED.intersection(remote_groups):
            logger.error(
                "User groups provided in the %s header are not "
                "matching the allowed groups.",
                extension_settings.REMOTE_GROUPS_HEADER,
            )
            # Otherwise redirect back to the frontpage
            unsafe_next_path = request.args.get("next")
            next_path = get_next_path(unsafe_next_path)
            if settings.MULTI_ORG:
                org = current_org._get_current_object()
                index_url = url_for("redash.index", org_slug=org.slug, next=next_path)
            else:
                index_url = url_for("redash.index", next=next_path)
            return redirect(index_url)
Beispiel #13
0
def authorized():
    code = request.args.get('code')
    if code is None:
        logger.warning("code missing in call back request.")
        flash("Validation error. Please retry.")
        return redirect(url_for("redash.login"))
    profile = get_user_profile(code)
    if profile is None:
        flash("Validation error. Please retry.")
        return redirect(url_for("redash.login"))

    if "org_slug" in session:
        org = models.Organization.get_by_slug(session.pop("org_slug"))
    else:
        org = current_org

    if not verify_profile(org, profile):
        logger.warning(
            "User tried to login with unauthorized domain name: %s (org: %s)",
            profile["email"],
            org,
        )
        flash("Your microsoft Apps account ({}) isn't allowed.".format(
            profile["email"]))
        return redirect(url_for("redash.login", org_slug=org.slug))

    picture_url = profile.get('picture')
    user = create_and_login_user(org, profile["name"], profile["email"],
                                 picture_url)
    if user is None:
        return logout_and_redirect_to_index()

    unsafe_next_path = request.args.get("state") or url_for("redash.index",
                                                            org_slug=org.slug)
    next_path = get_next_path(unsafe_next_path)

    return redirect(next_path)