def sync_update_user(self, ldap_user, db_user, email):
'''
set_status = False
if db_user.is_active == 0:
set_status = True
if ldap_user.password != db_user.password or set_status:
rc = update_ldap_user(db_user.user_id, email, ldap_user.password,
db_user.is_staff, db_user.is_active)
if rc < 0:
logger.warning('Update user [%s] failed.' % email)
else:
logger.debug('Update user [%s] success.' % email)
self.uuser += 1
'''
ret = 0
if ldap_user.role:
role = role_mapping(ldap_user.role)
if not db_user.is_manual_set and db_user.role != role:
ret = ccnet_api.update_role_emailuser(email, role, False)
if ret == 0:
self.urole += 1
#logger.debug('Update role [%s] for user [%s] success.' % (role, email))
if ret < 0:
logger.warning('Update role [%s] for user [%s] failed.' % (role, email))
if ldap_user.config.enable_extra_user_info_sync:
self.update_profile(email, db_user, ldap_user)
if ldap_user.dept != db_user.dept:
self.update_dept(email, ldap_user.dept)
def update_user_role(self, user_info):
""" Specific for Shibboleth
"""
affiliation = user_info.get('affiliation', '')
if not affiliation:
return
for e in affiliation.split(';'):
role = self._get_role_by_affiliation(e)
if not role:
continue
# update user role
ccnet_api.update_role_emailuser(user_info['email'], role)
# update user role quota
role_quota = get_enabled_role_permissions_by_role(
role)['role_quota']
if role_quota:
quota = get_quota_from_string(role_quota)
seafile_api.set_role_quota(role, quota)
def sync_add_user(self, ldap_user, email):
user_id = add_ldap_user(email, ldap_user.password, 0,
1 if self.settings.activate_user else 0)
if user_id <= 0:
logger.warning('Add user [%s] failed.' % email)
return
self.auser += 1
logger.debug('Add user [%s] success.' % email)
ret = 0
if ldap_user.role:
role = role_mapping(ldap_user.role)
ret = ccnet_api.update_role_emailuser(email, role, False)
if ret == 0:
self.arole += 1
logger.debug('Add role [%s] for user [%s] success.' % (role, email))
if ret < 0:
logger.warning('Add role [%s] for user [%s] failed.' % (role, email))
if ldap_user.config.enable_extra_user_info_sync:
self.add_profile(email, ldap_user)
self.add_dept(email, ldap_user.dept)
def process_request(self, request):
if request.path.rstrip('/') != settings.SITE_ROOT + 'sso':
return
# AuthenticationMiddleware is required so that request.user exists.
if not hasattr(request, 'user'):
raise ImproperlyConfigured(
"The Django remote user auth middleware requires the"
" authentication middleware to be installed. Edit your"
" MIDDLEWARE setting to insert"
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
" before the RemoteUserMiddleware class.")
# To support logout. If this variable is True, do not
# authenticate user and return now.
if request.session.get(LOGOUT_SESSION_KEY) is True:
return
else:
# Delete the shib reauth session key if present.
request.session.pop(LOGOUT_SESSION_KEY, None)
# Locate the remote user header.
# import pprint; pprint.pprint(request.META)
try:
username = request.META[SHIB_USER_HEADER]
except KeyError:
# If specified header doesn't exist then return (leaving
# request.user set to AnonymousUser by the
# AuthenticationMiddleware).
return
p_id = ccnet_api.get_primary_id(username)
if p_id is not None:
username = p_id
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
# persisted in the session and we don't need to continue.
if request.user.is_authenticated():
if request.user.username == username:
if request.user.is_staff:
update_sudo_mode_ts(request)
return
# Make sure we have all required Shiboleth elements before proceeding.
shib_meta, error = self.parse_attributes(request)
# Add parsed attributes to the session.
request.session['shib'] = shib_meta
if error:
raise ShibbolethValidationError("All required Shibboleth elements"
" not found. %s" % shib_meta)
# We are seeing this user for the first time in this session, attempt
# to authenticate the user.
user = auth.authenticate(remote_user=username, shib_meta=shib_meta)
if user:
if not user.is_active:
return HttpResponseRedirect(reverse('shib_complete'))
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
user.set_unusable_password()
user.save()
# call make profile.
self.make_profile(user, shib_meta)
if CUSTOM_SHIBBOLETH_GET_USER_ROLE:
user_role = custom_shibboleth_get_user_role(shib_meta)
if user_role:
ccnet_api.update_role_emailuser(user.email, user_role)
else:
user_role = self.update_user_role(user, shib_meta)
else:
user_role = self.update_user_role(user, shib_meta)
if user_role:
self.update_user_quota(user, user_role)
# setup session.
self.setup_session(request)
request.shib_login = True
def update_role(self, email, role):
"""
If user has a role, update it; or create a role for user.
"""
ccnet_api.update_role_emailuser(email, role)
return self.get(email=email)
def oauth_callback(request):
""" Step 3: Retrieving an access token.
The user has been redirected back from the provider to your registered
callback URL. With this redirection comes an authorization code included
in the redirect URL. We will use that to obtain an access token.
"""
session = OAuth2Session(client_id=CLIENT_ID,
scope=SCOPE,
state=request.session.get('oauth_state', None),
redirect_uri=REDIRECT_URL)
try:
token = session.fetch_token(
TOKEN_URL,
client_secret=CLIENT_SECRET,
authorization_response=request.get_full_path())
if 'user_id' in session._client.__dict__['token']:
# used for sjtu.edu.cn
# https://xjq12311.gitbooks.io/sjtu-engtc/content/
user_id = session._client.__dict__['token']['user_id']
user_info_resp = session.get(USER_INFO_URL +
'?user_id=%s' % user_id)
else:
user_info_url = USER_INFO_URL
if ACCESS_TOKEN_IN_URI:
code = request.GET.get('code')
user_info_url = USER_INFO_URL + '?access_token=%s&code=%s' % (
token['access_token'], code)
user_info_resp = session.get(user_info_url)
except Exception as e:
logger.error(e)
return render_error(request, _('Error, please contact administrator.'))
def format_user_info(user_info_resp):
logger.info('user info resp: %s' % user_info_resp.text)
error = False
user_info = {}
user_info_json = user_info_resp.json()
for item, attr in list(ATTRIBUTE_MAP.items()):
required, user_attr = attr
value = user_info_json.get(item, '')
if value:
# ccnet email
if user_attr == 'email':
user_info[user_attr] = value if is_valid_email(str(value)) else \
'%s@%s' % (str(value), PROVIDER_DOMAIN)
else:
user_info[user_attr] = value
elif required:
error = True
return user_info, error
user_info, error = format_user_info(user_info_resp)
if error:
logger.error('Required user info not found.')
logger.error(user_info)
return render_error(request, _('Error, please contact administrator.'))
# seahub authenticate user
email = user_info['email']
try:
user = auth.authenticate(remote_user=email)
except User.DoesNotExist:
user = None
except Exception as e:
logger.error(e)
return render_error(request, _('Error, please contact administrator.'))
if not user or not user.is_active:
logger.error('User %s not found or inactive.' % email)
# a page for authenticate user failed
return render_error(request, _('User %s not found.') % email)
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
# update user's profile
name = user_info['name'] if 'name' in user_info else ''
contact_email = user_info['contact_email'] if 'contact_email' in user_info else ''
profile = Profile.objects.get_profile_by_user(email)
if not profile:
profile = Profile(user=email)
if name:
profile.nickname = name.strip()
profile.save()
if contact_email:
profile.contact_email = contact_email.strip()
profile.save()
if CUSTOM_GET_USER_ROLE:
remote_role_value = user_info.get('role', '')
if remote_role_value:
role = custom_get_user_role(remote_role_value)
# update user role
ccnet_api.update_role_emailuser(user_info['email'], role)
# update user role quota
role_quota = get_enabled_role_permissions_by_role(role)['role_quota']
if role_quota:
quota = get_quota_from_string(role_quota)
seafile_api.set_role_quota(role, quota)
# generate auth token for Seafile client
api_token = get_api_token(request)
# redirect user to home page
response = HttpResponseRedirect(request.session.get('oauth_redirect', '/'))
response.set_cookie('seahub_auth', email + '@' + api_token.key)
return response