def clean(self):
username = self.cleaned_data.get('login')
password = self.cleaned_data.get('password')
if username and password:
if not is_valid_email(username):
# convert login id to username if any
username = Profile.objects.convert_login_str_to_username(
username)
self.user_cache = authenticate(username=username,
password=password)
if self.user_cache is None:
"""then try login id/contact email/primary id"""
# convert contact email to username if any
username = Profile.objects.convert_login_str_to_username(
username)
# convert username to primary id if any
username = self.get_primary_id_by_username(username)
self.user_cache = authenticate(username=username,
password=password)
if self.user_cache is None:
err_msg = _(
"Please enter a correct email/username and password. Note that both fields are case-sensitive."
)
if settings.LOGIN_ERROR_DETAILS:
try:
u = User.objects.get(email=username)
except User.DoesNotExist:
err_msg = _(
"That e-mail address doesn't have an associated user account. Are you sure you've registered?"
)
self.errors['not_found'] = err_msg
raise forms.ValidationError(err_msg)
# user found for login string but inactive
if not self.user_cache.is_active:
if settings.ACTIVATE_AFTER_FIRST_LOGIN and \
not UserOptions.objects.is_user_logged_in(username):
"""Activate user on first login."""
self.user_cache.is_active = True
self.user_cache.save()
UserOptions.objects.set_user_logged_in(username)
else:
self.errors['inactive'] = _("This account is inactive.")
raise forms.ValidationError(_("This account is inactive."))
# TODO: determine whether this should move to its own method.
if self.request:
if not self.request.session.test_cookie_worked():
raise forms.ValidationError(
_("Your Web browser doesn't appear to have cookies enabled. Cookies are required for logging in."
))
return self.cleaned_data
def process_request(self, request):
if request.path not in self.trust_endpoints:
return
# AuthenticationMiddleware is required so that request.user exists.
if not hasattr(request, 'user'):
raise ImproperlyConfigured(
"The Django remote user auth middleware requires the"
" authentication middleware to be installed. Edit your"
" MIDDLEWARE_CLASSES setting to insert"
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
" before the RemoteUserMiddleware class.")
try:
username = request.META[self.header]
except KeyError:
# If specified header doesn't exist then return (leaving
# request.user set to AnonymousUser by the
# AuthenticationMiddleware).
return
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
# persisted in the session and we don't need to continue.
if request.user.is_authenticated():
if request.user.username == self.clean_username(username, request):
return
# We are seeing this user for the first time in this session, attempt
# to authenticate the user.
user = auth.authenticate(remote_user=username)
if user:
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
def process_request(self, request):
# AuthenticationMiddleware is required so that request.user exists.
if not hasattr(request, "user"):
raise ImproperlyConfigured(
"The Django remote user auth middleware requires the"
" authentication middleware to be installed. Edit your"
" MIDDLEWARE_CLASSES setting to insert"
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
" before the RemoteUserMiddleware class."
)
# To support logout. If this variable is True, do not
# authenticate user and return now.
if request.session.get(LOGOUT_SESSION_KEY) == True:
return
else:
# Delete the shib reauth session key if present.
request.session.pop(LOGOUT_SESSION_KEY, None)
# Locate the remote user header.
# import pprint; pprint.pprint(request.META)
try:
username = request.META[SHIB_USER_HEADER]
except KeyError:
# If specified header doesn't exist then return (leaving
# request.user set to AnonymousUser by the
# AuthenticationMiddleware).
return
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
# persisted in the session and we don't need to continue.
if request.user.is_authenticated():
if request.user.username == username:
if request.user.is_staff:
update_sudo_mode_ts(request)
return
# Make sure we have all required Shiboleth elements before proceeding.
shib_meta, error = self.parse_attributes(request)
# Add parsed attributes to the session.
request.session["shib"] = shib_meta
if error:
raise ShibbolethValidationError("All required Shibboleth elements" " not found. %s" % shib_meta)
# We are seeing this user for the first time in this session, attempt
# to authenticate the user.
user = auth.authenticate(remote_user=username, shib_meta=shib_meta)
if user:
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
user.set_unusable_password()
user.save()
# call make profile.
self.make_profile(user, shib_meta)
# setup session.
self.setup_session(request)
request.shib_login = True
def process_request(self, request):
protected_paths = [
item.strip().strip('/') for item in self.protected_paths
]
if request.path.strip('/') not in protected_paths:
return
# AuthenticationMiddleware is required so that request.user exists.
if not hasattr(request, 'user'):
raise ImproperlyConfigured(
"The Django remote user auth middleware requires the"
" authentication middleware to be installed. Edit your"
" MIDDLEWARE setting to insert"
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
" before the RemoteUserMiddleware class.")
try:
username = request.META[self.header]
except KeyError:
if settings.DEBUG:
assert False
# If specified header doesn't exist then remove any existing
# authenticated remote-user, or return (leaving request.user set to
# AnonymousUser by the AuthenticationMiddleware).
if self.force_logout_if_no_header and request.user.is_authenticated(
):
self._remove_invalid_user(request)
return
if self.remote_user_domain:
username = username.split('@')[0] + '@' + self.remote_user_domain
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
# persisted in the session and we don't need to continue.
if request.user.is_authenticated():
if request.user.get_username() == self.clean_username(
username, request):
if request.user.is_staff:
update_sudo_mode_ts(request)
# add a mark to generate api token and set cookie
request.remote_user_authentication = True
return
else:
# An authenticated user is associated with the request, but
# it does not match the authorized user in the header.
self._remove_invalid_user(request)
# We are seeing this user for the first time in this session, attempt
# to authenticate the user.
user = auth.authenticate(request=request, remote_user=username)
if user:
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
# add a mark to generate api token and set cookie
request.remote_user_authentication = True
def process_request(self, request):
# AuthenticationMiddleware is required so that request.user exists.
if not hasattr(request, 'user'):
raise ImproperlyConfigured(
"The Django remote user auth middleware requires the"
" authentication middleware to be installed. Edit your"
" MIDDLEWARE_CLASSES setting to insert"
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
" before the RemoteUserMiddleware class.")
#To support logout. If this variable is True, do not
#authenticate user and return now.
if request.session.get(LOGOUT_SESSION_KEY) == True:
return
else:
#Delete the shib reauth session key if present.
request.session.pop(LOGOUT_SESSION_KEY, None)
#Locate the remote user header.
# import pprint; pprint.pprint(request.META)
try:
username = request.META[SHIB_USER_HEADER]
except KeyError:
# If specified header doesn't exist then return (leaving
# request.user set to AnonymousUser by the
# AuthenticationMiddleware).
return
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
# persisted in the session and we don't need to continue.
if request.user.is_authenticated():
if request.user.username == username:
if request.user.is_staff:
update_sudo_mode_ts(request)
return
# Make sure we have all required Shiboleth elements before proceeding.
shib_meta, error = self.parse_attributes(request)
# Add parsed attributes to the session.
request.session['shib'] = shib_meta
if error:
raise ShibbolethValidationError("All required Shibboleth elements"
" not found. %s" % shib_meta)
# We are seeing this user for the first time in this session, attempt
# to authenticate the user.
user = auth.authenticate(remote_user=username, shib_meta=shib_meta)
if user:
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
user.set_unusable_password()
user.save()
# call make profile.
self.make_profile(user, shib_meta)
#setup session.
self.setup_session(request)
request.shib_login = True
def token_view(request, token):
"""Show form to let user set password.
"""
i = get_object_or_404(Invitation, token=token)
if i.is_expired():
raise Http404
if request.method == 'GET':
try:
user = User.objects.get(email=i.accepter)
if user.is_active is True:
# user is active return exist
messages.error(request, _('A user with this email already exists.'))
except User.DoesNotExist:
pass
return render(request, 'invitations/token_view.html', {'iv': i, })
if request.method == 'POST':
passwd = request.POST.get('password', '')
if not passwd:
return HttpResponseRedirect(request.META.get('HTTP_REFERER'))
try:
user = User.objects.get(email=i.accepter)
if user.is_active is True:
# user is active return exist
messages.error(request, _('A user with this email already exists.'))
return render(request, 'invitations/token_view.html', {'iv': i, })
else:
# user is inactive then set active and new password
user.set_password(passwd)
user.is_active = True
user.save()
user = authenticate(username=user.username, password=passwd)
except User.DoesNotExist:
# Create user, set that user as guest.
user = User.objects.create_user(
email=i.accepter, password=passwd, is_active=True)
User.objects.update_role(user.username, GUEST_USER)
for backend in get_backends():
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
# Update invitation accept time.
i.accept()
# login
auth_login(request, user)
# send signal to notify inviter
accept_guest_invitation_successful.send(
sender=None, invitation_obj=i)
# send email to notify admin
if NOTIFY_ADMIN_AFTER_REGISTRATION:
notify_admins_on_register_complete(user.email)
return HttpResponseRedirect(SITE_ROOT)
def clean(self):
username = self.cleaned_data.get('login')
password = self.cleaned_data.get('password')
if username and password:
self.user_cache = authenticate(username=username,
password=password)
if self.user_cache is None:
"""then try login id/contact email/primary id"""
# convert login id or contact email to username if any
username = Profile.objects.convert_login_str_to_username(username)
# convert username to primary id if any
username = self.get_primary_id_by_username(username)
self.user_cache = authenticate(username=username, password=password)
if self.user_cache is None:
err_msg = _("Please enter a correct email/username and password. Note that both fields are case-sensitive.")
if settings.LOGIN_ERROR_DETAILS:
try:
u = User.objects.get(email=username)
except User.DoesNotExist:
err_msg = _("That e-mail address doesn't have an associated user account. Are you sure you've registered?")
self.errors['not_found'] = err_msg
raise forms.ValidationError(err_msg)
# user found for login string but inactive
if not self.user_cache.is_active:
if settings.ACTIVATE_AFTER_FIRST_LOGIN and \
not UserOptions.objects.is_user_logged_in(username):
"""Activate user on first login."""
self.user_cache.is_active = True
self.user_cache.save()
UserOptions.objects.set_user_logged_in(username)
else:
self.errors['inactive'] = _("This account is inactive.")
raise forms.ValidationError(_("This account is inactive."))
# TODO: determine whether this should move to its own method.
if self.request:
if not self.request.session.test_cookie_worked():
raise forms.ValidationError(_("Your Web browser doesn't appear to have cookies enabled. Cookies are required for logging in."))
return self.cleaned_data
def process_request(self, request):
protected_paths = [item.strip().strip('/') for item in self.protected_paths]
if request.path.strip('/') not in protected_paths:
return
# AuthenticationMiddleware is required so that request.user exists.
if not hasattr(request, 'user'):
raise ImproperlyConfigured(
"The Django remote user auth middleware requires the"
" authentication middleware to be installed. Edit your"
" MIDDLEWARE setting to insert"
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
" before the RemoteUserMiddleware class.")
try:
username = request.META[self.header]
except KeyError:
if settings.DEBUG:
assert False
# If specified header doesn't exist then remove any existing
# authenticated remote-user, or return (leaving request.user set to
# AnonymousUser by the AuthenticationMiddleware).
if self.force_logout_if_no_header and request.user.is_authenticated(
):
self._remove_invalid_user(request)
return
if self.remote_user_domain:
username = username.split('@')[0] + '@' + self.remote_user_domain
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
# persisted in the session and we don't need to continue.
if request.user.is_authenticated():
if request.user.get_username() == self.clean_username(
username, request):
if request.user.is_staff:
update_sudo_mode_ts(request)
# add a mark to generate api token and set cookie
request.remote_user_authentication = True
return
else:
# An authenticated user is associated with the request, but
# it does not match the authorized user in the header.
self._remove_invalid_user(request)
# We are seeing this user for the first time in this session, attempt
# to authenticate the user.
user = auth.authenticate(request=request, remote_user=username)
if user:
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
# add a mark to generate api token and set cookie
request.remote_user_authentication = True
def validate(self, attrs):
login_id = attrs.get('username')
password = attrs.get('password')
platform = attrs.get('platform', None)
device_id = attrs.get('device_id', None)
device_name = attrs.get('device_name', None)
client_version = attrs.get('client_version', None)
platform_version = attrs.get('platform_version', None)
v2_fields = (platform, device_id, device_name)
# Decide the version of token we need
if all_none(v2_fields):
v2 = False
elif all_not_none(v2_fields):
v2 = True
else:
raise serializers.ValidationError('invalid params')
username = Profile.objects.get_username_by_login_id(login_id)
if username is None:
username = login_id
if username and password:
user = authenticate(username=username, password=password)
if user:
if not user.is_active:
raise serializers.ValidationError('User account is disabled.')
else:
raise serializers.ValidationError('Unable to login with provided credentials.')
else:
raise serializers.ValidationError('Must include "username" and "password"')
populate_user_permissions(user)
if platform in DESKTOP_PLATFORMS:
if not user.permissions.can_connect_with_desktop_clients():
raise serializers.ValidationError('Not allowed to connect to desktop client.')
elif platform == 'android':
if not user.permissions.can_connect_with_android_clients():
raise serializers.ValidationError('Not allowed to connect to android client.')
elif platform == 'ios':
if not user.permissions.can_connect_with_ios_clients():
raise serializers.ValidationError('Not allowed to connect to ios client.')
else:
logger.info('%s: unrecognized device' % login_id)
self._two_factor_auth(self.context['request'], user)
# Now user is authenticated
if v2:
token = get_token_v2(self.context['request'], username, platform, device_id, device_name,
client_version, platform_version)
else:
token = get_token_v1(username)
return token.key
def validate(self, attrs):
username = attrs.get('username')
password = attrs.get('password')
if username and password:
user = authenticate(username=username, password=password)
if user:
if not user.is_active:
raise serializers.ValidationError('User account is disabled.')
attrs['user'] = user
return attrs
else:
raise serializers.ValidationError('Unable to login with provided credentials.')
else:
raise serializers.ValidationError('Must include "username" and "password"')
def acs(request):
saml_client = _get_saml_client()
saml_resp = request.POST.get('SAMLResponse', None)
if not saml_resp:
return render_error(request, _('login failed, please contact admin.'))
authn_response = saml_client.parse_authn_request_response(
saml_resp, entity.BINDING_HTTP_POST)
if not authn_response:
return render_error(request, _('login failed, please contact admin.'))
user_identity = authn_response.get_identity()
if not user_identity:
return render_error(request, _('login failed, please contact admin.'))
for saml_key, dtable_key in SAML_ATTR_MAPPERS.items():
if dtable_key == 'contact_email':
user_email = user_identity.get(saml_key, [''])[0]
elif dtable_key == 'name':
username = user_identity.get(saml_key, [''])[0]
if not user_email:
return render_error(request, _('login failed, please contact admin.'))
try:
user = auth.authenticate(remote_user=user_email, nickname=username)
except User.DoesNotExist:
user = None
if not user or not user.is_active:
logger.error('User %s not found or inactive.' % user_email)
# a page for authenticate user failed
return render_error(request, _('User %s not found.') % user_email)
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
next_url = request.session.get('login_next_url', _default_next_url())
default_relay_state = '/'
relay_state = request.POST.get('RelayState', next_url)
if not relay_state:
logger.warning('The RelayState parameter exists but is empty')
relay_state = default_relay_state
return HttpResponseRedirect(relay_state)
def clean(self):
username = self.cleaned_data.get('username')
password = self.cleaned_data.get('password')
if username and password:
self.user_cache = authenticate(username=username, password=password)
if self.user_cache is None:
raise forms.ValidationError(_("Please enter a correct username and password. Note that both fields are case-sensitive."))
elif not self.user_cache.is_active:
raise forms.ValidationError(_("This account is inactive."))
# TODO: determine whether this should move to its own method.
if self.request:
if not self.request.session.test_cookie_worked():
raise forms.ValidationError(_("Your Web browser doesn't appear to have cookies enabled. Cookies are required for logging in."))
return self.cleaned_data
def validate(self, attrs):
username = attrs.get("username")
password = attrs.get("password")
platform = attrs.get("platform", None)
device_id = attrs.get("device_id", None)
device_name = attrs.get("device_name", None)
client_version = attrs.get("client_version", None)
platform_version = attrs.get("platform_version", None)
v2_fields = (platform, device_id, device_name, client_version, platform_version)
# Decide the version of token we need
if all_none(v2_fields):
v2 = False
elif all_not_none(v2_fields):
v2 = True
else:
raise serializers.ValidationError("invalid params")
# first check username and password
if username:
if not is_valid_username(username):
raise serializers.ValidationError("username is not valid.")
if username and password:
user = authenticate(username=username, password=password)
if user:
if not user.is_active:
raise serializers.ValidationError("User account is disabled.")
else:
raise serializers.ValidationError("Unable to login with provided credentials.")
else:
raise serializers.ValidationError('Must include "username" and "password"')
# Now user is authenticated
if v2:
token = get_token_v2(
self.context["request"], username, platform, device_id, device_name, client_version, platform_version
)
else:
token = get_token_v1(username)
return token.key
def validate(self, attrs):
login_id = attrs.get('username')
password = attrs.get('password')
platform = attrs.get('platform', None)
device_id = attrs.get('device_id', None)
device_name = attrs.get('device_name', None)
client_version = attrs.get('client_version', None)
platform_version = attrs.get('platform_version', None)
v2_fields = (platform, device_id, device_name)
# Decide the version of token we need
if all_none(v2_fields):
v2 = False
elif all_not_none(v2_fields):
v2 = True
else:
raise serializers.ValidationError('invalid params')
username = Profile.objects.get_username_by_login_id(login_id)
if username is None:
username = login_id
if username and password:
user = authenticate(username=username, password=password)
if user:
if not user.is_active:
raise serializers.ValidationError('User account is disabled.')
else:
raise serializers.ValidationError('Unable to login with provided credentials.')
else:
raise serializers.ValidationError('Must include "username" and "password"')
self._two_factor_auth(self.context['request'], username)
# Now user is authenticated
if v2:
token = get_token_v2(self.context['request'], username, platform, device_id, device_name,
client_version, platform_version)
else:
token = get_token_v1(username)
return token.key
def validate(self, attrs):
username = attrs.get('username')
password = attrs.get('password')
if username and password:
user = authenticate(username=username, password=password)
if user:
if not user.is_active:
raise serializers.ValidationError(
'User account is disabled.')
attrs['user'] = user
return attrs
else:
raise serializers.ValidationError(
'Unable to login with provided credentials.')
else:
raise serializers.ValidationError(
'Must include "username" and "password"')
def oauth_callback(request):
""" Step 3: Retrieving an access token.
The user has been redirected back from the provider to your registered
callback URL. With this redirection comes an authorization code included
in the redirect URL. We will use that to obtain an access token.
"""
session = OAuth2Session(client_id=CLIENT_ID,
scope=SCOPE,
state=request.session.get('oauth_state', None),
redirect_uri=REDIRECT_URL)
try:
token = session.fetch_token(
TOKEN_URL,
client_secret=CLIENT_SECRET,
authorization_response=request.get_full_path())
if session._client.__dict__['token'].has_key('user_id'):
# used for sjtu.edu.cn
# https://xjq12311.gitbooks.io/sjtu-engtc/content/
user_id = session._client.__dict__['token']['user_id']
user_info_resp = session.get(USER_INFO_URL +
'?user_id=%s' % user_id)
else:
user_info_url = USER_INFO_URL
if ACCESS_TOKEN_IN_URI:
code = request.GET.get('code')
user_info_url = USER_INFO_URL + '?access_token=%s&code=%s' % (
token['access_token'], code)
user_info_resp = session.get(user_info_url)
except Exception as e:
logger.error(e)
return render_error(request, _('Error, please contact administrator.'))
def format_user_info(user_info_resp):
logger.info('user info resp: %s' % user_info_resp.text)
error = False
user_info = {}
user_info_json = user_info_resp.json()
for item, attr in ATTRIBUTE_MAP.items():
required, user_attr = attr
value = user_info_json.get(item, '')
if value:
# ccnet email
if user_attr == 'email':
user_info[user_attr] = value if is_valid_email(str(value)) else \
'%s@%s' % (str(value), PROVIDER_DOMAIN)
else:
user_info[user_attr] = value
elif required:
error = True
return user_info, error
user_info, error = format_user_info(user_info_resp)
if error:
logger.error('Required user info not found.')
logger.error(user_info)
return render_error(request, _('Error, please contact administrator.'))
# seahub authenticate user
email = user_info['email']
try:
user = auth.authenticate(remote_user=email)
except User.DoesNotExist:
user = None
if not user or not user.is_active:
logger.error('User %s not found or inactive.' % email)
# a page for authenticate user failed
return render_error(request, _(u'User %s not found.') % email)
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
# update user's profile
name = user_info['name'] if user_info.has_key('name') else ''
contact_email = user_info['contact_email'] if \
user_info.has_key('contact_email') else ''
profile = Profile.objects.get_profile_by_user(email)
if not profile:
profile = Profile(user=email)
if name:
profile.nickname = name.strip()
profile.save()
if contact_email:
profile.contact_email = contact_email.strip()
profile.save()
# generate auth token for Seafile client
api_token = get_api_token(request)
# redirect user to home page
response = HttpResponseRedirect(request.session['oauth_redirect'])
response.set_cookie('seahub_auth', email + '@' + api_token.key)
return response
def login(request, next_page=None, required=False):
"""Forwards to CAS login URL or verifies CAS ticket"""
service_url = get_service_url(request, next_page)
client = get_cas_client(service_url=service_url, request=request)
if not next_page and settings.CAS_STORE_NEXT and 'CASNEXT' in request.session:
next_page = request.session['CASNEXT']
del request.session['CASNEXT']
if not next_page:
next_page = get_redirect_url(request)
if request.method == 'POST' and request.POST.get('logoutRequest'):
clean_sessions(client, request)
return HttpResponseRedirect(next_page)
# backward compability for django < 2.0
is_user_authenticated = False
if sys.version_info >= (3, 0):
bool_type = bool
else:
bool_type = types.BooleanType
if isinstance(request.user.is_authenticated, bool_type):
is_user_authenticated = request.user.is_authenticated
else:
is_user_authenticated = request.user.is_authenticated()
if is_user_authenticated:
if settings.CAS_LOGGED_MSG is not None:
message = settings.CAS_LOGGED_MSG % request.user.get_username()
messages.success(request, message)
return HttpResponseRedirect(next_page)
ticket = request.GET.get('ticket')
if ticket:
user = authenticate(ticket=ticket,
service=service_url,
request=request)
pgtiou = request.session.get("pgtiou")
if user is not None:
if not request.session.exists(request.session.session_key):
request.session.create()
auth_login(request, user)
SessionTicket.objects.create(
session_key=request.session.session_key, ticket=ticket)
if pgtiou and settings.CAS_PROXY_CALLBACK:
# Delete old PGT
ProxyGrantingTicket.objects.filter(
user=user,
session_key=request.session.session_key).delete()
# Set new PGT ticket
try:
pgt = ProxyGrantingTicket.objects.get(pgtiou=pgtiou)
pgt.user = user
pgt.session_key = request.session.session_key
pgt.save()
except ProxyGrantingTicket.DoesNotExist:
pass
if settings.CAS_LOGIN_MSG is not None:
name = user.get_username()
message = settings.CAS_LOGIN_MSG % name
messages.success(request, message)
return HttpResponseRedirect(next_page)
elif settings.CAS_RETRY_LOGIN or required:
return HttpResponseRedirect(client.get_login_url())
else:
raise PermissionDenied(_('Login failed.'))
else:
if settings.CAS_STORE_NEXT:
request.session['CASNEXT'] = next_page
return HttpResponseRedirect(client.get_login_url())
def oauth_callback(request):
""" Step 3: Retrieving an access token.
The user has been redirected back from the provider to your registered
callback URL. With this redirection comes an authorization code included
in the redirect URL. We will use that to obtain an access token.
"""
session = OAuth2Session(client_id=CLIENT_ID,
scope=SCOPE,
state=request.session.get('oauth_state', None),
redirect_uri=REDIRECT_URL)
try:
session.fetch_token(TOKEN_URL,
client_secret=CLIENT_SECRET,
authorization_response=request.get_full_path())
if session._client.__dict__['token'].has_key('user_id'):
# used for sjtu.edu.cn
# https://xjq12311.gitbooks.io/sjtu-engtc/content/
user_id = session._client.__dict__['token']['user_id']
user_info_resp = session.get(USER_INFO_URL +
'?user_id=%s' % user_id)
else:
user_info_resp = session.get(USER_INFO_URL)
except Exception as e:
logger.error(e)
return render(request, 'error.html', {
'error_msg': _('Error, please contact administrator.'),
})
def format_user_info(user_info_resp):
error = False
user_info = {}
user_info_json = user_info_resp.json()
for item, attr in ATTRIBUTE_MAP.items():
required, user_attr = attr
value = user_info_json.get(item, '')
if value:
# ccnet email
if user_attr == 'email':
user_info[user_attr] = value if is_valid_email(str(value)) else \
'%s@%s' % (str(value), PROVIDER_DOMAIN)
else:
user_info[user_attr] = value
elif required:
error = True
return user_info, error
user_info, error = format_user_info(user_info_resp)
if error:
logger.error('Required user info not found.')
logger.error(user_info)
return render(request, 'error.html', {
'error_msg': _('Error, please contact administrator.'),
})
# seahub authenticate user
email = user_info['email']
try:
User.objects.get(email=email)
except User.DoesNotExist:
if not config.ENABLE_SIGNUP:
logger.error('%s not found but user registration is disabled.' %
email)
return render(
request, 'error.html', {
'error_msg': _('Error, please contact administrator.'),
})
try:
user = auth.authenticate(remote_user=email)
except User.DoesNotExist:
user = None
if not user or not user.is_active:
logger.error('User %s not found or inactive.' % email)
# a page for authenticate user failed
return render(request, 'error.html',
{'error_msg': _(u'User %s not found.') % email})
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
user.set_unusable_password()
user.save()
# update user's profile
name = user_info['name'] if user_info.has_key('name') else ''
contact_email = user_info['contact_email'] if \
user_info.has_key('contact_email') else ''
profile = Profile.objects.get_profile_by_user(email)
if not profile:
profile = Profile(user=email)
if name:
profile.nickname = name.strip()
profile.save()
if contact_email:
profile.contact_email = contact_email.strip()
profile.save()
# generate auth token for Seafile client
keys = (
'platform',
'device_id',
'device_name',
'client_version',
'platform_version',
)
if all([key in request.GET for key in keys]):
platform = request.GET['platform']
device_id = request.GET['device_id']
device_name = request.GET['device_name']
client_version = request.GET['client_version']
platform_version = request.GET['platform_version']
token = get_token_v2(request, request.user.username, platform,
device_id, device_name, client_version,
platform_version)
else:
token = get_token_v1(request.user.username)
# redirect user to home page
response = HttpResponseRedirect(reverse('libraries'))
response.set_cookie('seahub_auth', email + '@' + token.key)
return response
def dingtalk_callback(request):
if not ENABLE_DINGTALK:
return render_error(request, _('Error, please contact administrator.'))
state = request.GET.get('state', '')
if not state or state != request.session.get('dingtalk_login_state', ''):
logger.error('invalid state')
return render_error(request, _('Error, please contact administrator.'))
timestamp = str(int(time.time() * 1000)).encode('utf-8')
appsecret = DINGTALK_QR_CONNECT_APP_SECRET.encode('utf-8')
signature = base64.b64encode(
hmac.new(appsecret, timestamp, digestmod=sha256).digest())
parameters = {
'accessKey': DINGTALK_QR_CONNECT_APP_ID,
'timestamp': timestamp,
'signature': signature,
}
code = request.GET.get('code')
data = {"tmp_auth_code": code}
full_user_info_url = DINGTALK_QR_CONNECT_USER_INFO_URL + '?' + urllib.parse.urlencode(
parameters)
user_info_resp = requests.post(full_user_info_url, data=json.dumps(data))
user_info = user_info_resp.json()['user_info']
# seahub authenticate user
if 'unionid' not in user_info:
logger.error('Required user info not found.')
logger.error(user_info)
return render_error(request, _('Error, please contact administrator.'))
auth_user = SocialAuthUser.objects.get_by_provider_and_uid(
'dingtalk', user_info['unionid'])
if auth_user:
email = auth_user.username
else:
email = gen_user_virtual_id()
SocialAuthUser.objects.add(email, 'dingtalk', user_info['unionid'])
try:
user = auth.authenticate(remote_user=email)
except User.DoesNotExist:
user = None
except Exception as e:
logger.error(e)
return render_error(request, _('Error, please contact administrator.'))
if not user or not user.is_active:
return render_error(request,
_('User %s not found or inactive.') % email)
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
request.session['remember_me'] = DINGTALK_QR_CONNECT_LOGIN_REMEMBER_ME
auth.login(request, user)
# update user's profile
name = user_info['nick'] if 'nick' in user_info else ''
if name:
profile = Profile.objects.get_profile_by_user(email)
if not profile:
profile = Profile(user=email)
profile.nickname = name.strip()
profile.save()
user_detail_info = dingtalk_get_detailed_user_info(user_info['unionid'])
contact_email = user_detail_info.get('email', '')
if contact_email:
profile.contact_email = contact_email
profile.save()
# generate auth token for Seafile client
api_token = get_api_token(request)
# redirect user to home page
response = HttpResponseRedirect(
request.session.get('dingtalk_login_redirect', '/'))
response.set_cookie('seahub_auth', email + '@' + api_token.key)
return response
def assertion_consumer_service(request,
config_loader_path=None,
attribute_mapping=None,
create_unknown_user=None):
"""SAML Authorization Response endpoint
The IdP will send its response to this view, which
will process it with pysaml2 help and log the user
in using the custom Authorization backend
djangosaml2.backends.Saml2Backend that should be
enabled in the settings.py
"""
attribute_mapping = attribute_mapping or get_custom_setting(
'SAML_ATTRIBUTE_MAPPING', {'uid': ('username', )})
create_unknown_user = create_unknown_user or get_custom_setting(
'SAML_CREATE_UNKNOWN_USER', True)
logger.debug('Assertion Consumer Service started')
conf = get_config(config_loader_path, request)
if 'SAMLResponse' not in request.POST:
return HttpResponseBadRequest(
'Couldn\'t find "SAMLResponse" in POST data.')
xmlstr = request.POST['SAMLResponse']
client = Saml2Client(conf, identity_cache=IdentityCache(request.session))
oq_cache = OutstandingQueriesCache(request.session)
outstanding_queries = oq_cache.outstanding_queries()
try:
response = client.parse_authn_request_response(xmlstr,
BINDING_HTTP_POST,
outstanding_queries)
except MissingKey:
logger.error('MissingKey error in ACS')
return HttpResponseForbidden(
"The Identity Provider is not configured correctly: "
"the certificate key is missing")
if response is None:
logger.error('SAML response is None')
return HttpResponseBadRequest(
"SAML response has errors. Please check the logs")
session_id = response.session_id()
oq_cache.delete(session_id)
# authenticate the remote user
session_info = response.session_info()
if callable(attribute_mapping):
attribute_mapping = attribute_mapping()
if callable(create_unknown_user):
create_unknown_user = create_unknown_user()
logger.debug('Trying to authenticate the user')
user = auth.authenticate(session_info=session_info,
attribute_mapping=attribute_mapping,
create_unknown_user=create_unknown_user)
if user is None:
logger.error('The user is None')
return HttpResponseForbidden("Permission denied")
if not user.is_active:
logger.error('The user is inactive')
return HttpResponseForbidden("Permission denied")
auth_login(request, user)
_set_subject_id(request.session, session_info['name_id'])
logger.debug('Sending the post_authenticated signal')
post_authenticated.send_robust(sender=user, session_info=session_info)
# redirect the user to the view where he came from
default_relay_state = get_custom_setting('ACS_DEFAULT_REDIRECT_URL',
settings.LOGIN_REDIRECT_URL)
relay_state = request.POST.get('RelayState', default_relay_state)
if not relay_state:
logger.warning('The RelayState parameter exists but is empty')
relay_state = default_relay_state
logger.debug('Redirecting to the RelayState: %s', relay_state)
return HttpResponseRedirect(relay_state)
def weixin_oauth_callback(request):
if not weixin_check():
return render_error(request, _('Feature is not enabled.'))
code = request.GET.get('code', None)
state = request.GET.get('state', None)
weixin_oauth_state = request.session.get('weixin_oauth_state', None)
weixin_oauth_redirect = request.session.get('weixin_oauth_redirect',
redirect_to)
org_id = request.session.get('weixin_oauth_org_id', None)
is_mobile_weixin = request.session.get('weixin_oauth_is_mobile_weixin',
False)
# clear session
try:
del request.session['weixin_oauth_state']
del request.session['weixin_oauth_redirect']
del request.session['weixin_oauth_org_id']
del request.session['weixin_oauth_is_mobile_weixin']
except Exception as e:
logger.warning(e)
# get api user info
if state != weixin_oauth_state or not code:
logger.error('can not get right code or state from weixin request')
return render_error(request, _('Error, please contact administrator.'))
access_token, openid = get_weixin_access_token_and_openid(
code, is_mobile_weixin)
if not access_token or not openid:
logger.error('can not get weixin access_token or openid')
return render_error(request, _('Error, please contact administrator.'))
weixin_api_user_info = get_weixin_api_user_info(access_token, openid)
if not weixin_api_user_info:
return render_error(request, _('Error, please contact administrator.'))
# main
user_id = weixin_api_user_info.get('unionid')
uid = WEIXIN_UID_PREFIX + user_id
weixin_user = SocialAuthUser.objects.get_by_provider_and_uid(
WEIXIN_PROVIDER, uid)
if weixin_user:
email = weixin_user.username
is_new_user = False
else:
email = None
is_new_user = True
try:
user = auth.authenticate(remote_user=email)
except User.DoesNotExist:
user = None
if not user:
return render_error(
request,
_('Error, new user registration is not allowed, please contact administrator.'
))
# bind
username = user.username
if is_new_user:
SocialAuthUser.objects.add(username, WEIXIN_PROVIDER, uid)
# org invite for new user
if org_id:
if is_new_user:
ccnet_api.add_org_user(org_id, username, int(False))
else:
return render_error(request, '仅限新用户加入机构')
# update user info
if is_new_user or WEIXIN_USER_INFO_AUTO_UPDATE:
api_user = weixin_api_user_info
api_user['username'] = username
update_weixin_user_info(api_user)
if not user.is_active:
return render_error(
request,
_('Your account is created successfully, please wait for administrator to activate your account.'
))
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
request.session['remember_me'] = REMEMBER_ME
auth.login(request, user)
# generate auth token for Seafile client
api_token = get_api_token(request)
# redirect user to page
response = HttpResponseRedirect(weixin_oauth_redirect)
response.set_cookie('seahub_auth', user.username + '@' + api_token.key)
return response
