Beispiel #1
0
 def test_is_safe_url(self, mock):  # pylint: disable=R0201
     """
     Test that only urls from the same domain are set as safe
     by the is_safe_url function
     """
     mock.host_url = "https://example.com"
     assert is_safe_url("https://example.com") is True
     assert is_safe_url("https://google.com") is False
Beispiel #2
0
    def login_init(self, provider=None):
        """
        Checks authorization and if a user is not authorized,
        inits the sign-in process and returns a state
        """
        logging.debug("Provider: %s", provider)

        if g.user is not None and g.user.is_authenticated:
            logging.debug("Provider %s is already authorized by %s", provider,
                          g.user)
            return make_response(jsonify(isAuthorized=True))

        redirect_url = request.args.get("redirect_url")
        if not redirect_url or not is_safe_url(redirect_url):
            logging.debug("The arg redirect_url not found or not safe")
            return abort(400)

        logging.debug("Initialization of authorization process for: %s",
                      provider)

        # libraries assume that
        # 'redirect_url' should be available in the session
        session['%s_oauthredir' % provider] = redirect_url

        state = self.generate_state()
        return make_response(jsonify(isAuthorized=False, state=state))
Beispiel #3
0
    def oauth_authorized(self, provider):
        """View that a user is redirected to from the Oauth server"""

        logging.debug("Authorized init")
        if "Custom-Api-Token" in request.headers:
            logging.debug("Custom-Api-Token is present")
            resp = {"access_token": request.headers.get("Custom-Api-Token")}
        else:
            resp = self.appbuilder.sm.oauth_remotes[
                provider].authorize_access_token()
        if resp is None:
            flash("You denied the request to sign in.", "warning")
            return redirect("/login")

        logging.debug(f"OAUTH Authorized resp: {resp}")

        # Retrieves specific user info from the provider
        try:
            self.appbuilder.sm.set_oauth_session(provider, resp)
            userinfo = self.appbuilder.sm.oauth_user_info(provider, resp)
        except Exception as no_user:  # pylint: disable=broad-except
            logging.error(f"Error returning user info: {no_user}")
            user = None
        else:
            logging.debug(f"User info retrieved from {provider}: {userinfo}")
            # User email is not whitelisted
            if provider in self.appbuilder.sm.oauth_whitelists:
                whitelist = self.appbuilder.sm.oauth_whitelists[provider]
                allow = False
                for item in whitelist:
                    if re.search(item, userinfo["email"]):
                        allow = True
                        break
                if not allow:
                    flash("You are not authorized.", "warning")
                    return redirect("/login")
            else:
                logging.debug("No whitelist for OAuth provider")
            user = self.appbuilder.sm.auth_user_oauth(userinfo)

        if user is None:
            flash(as_unicode(self.invalid_login_message), "warning")
            return redirect("/login")
        login_user(user)

        # handle custom redirection
        # first try redirection via a request arg
        redirect_url = request.args.get("redirect_url")
        # if we dont yet have a direct url, try and get it from configs
        if not redirect_url:
            redirect_url = self.appbuilder.sm.get_oauth_redirect_url(provider)
        # if we have it, do the redirection
        if redirect_url:
            # check if the url is safe for redirects.
            if not is_safe_url(redirect_url):
                return abort(400)

            return redirect(redirect_url)

        return redirect(self.appbuilder.get_url_for_index)
Beispiel #4
0
    def login(self, provider=None, register=None):
        """The login view from AuthOAuthView"""
        logging.debug(f"Provider: {provider}")

        # handle redirect
        redirect_url = self.appbuilder.get_url_for_index
        if request.args.get('redirect_url') is not None:
            redirect_url = request.args.get('redirect_url')
            if not is_safe_url(redirect_url):
                return abort(400)

        if g.user is not None and g.user.is_authenticated:
            logging.debug(f"Already authenticated {g.user}")
            return redirect(redirect_url)

        if provider is None:
            return self.render_template(
                self.login_template,
                providers=self.appbuilder.sm.oauth_providers,
                title=self.title,
                appbuilder=self.appbuilder,
            )
        logging.debug(f"Going to call authorize for: {provider}")
        state = self.generate_state()
        try:
            scheme = self.appbuilder.app.config.get('PREFERRED_URL_SCHEME',
                                                    'https')
            if register:
                logging.debug("Login to Register")
                session["register"] = True
            if provider == "twitter":
                return self.appbuilder.sm.oauth_remotes[
                    provider].authorize_redirect(redirect_uri=url_for(
                        ".oauth_authorized",
                        provider=provider,
                        _external=True,
                        _scheme=scheme,
                        state=state,
                    ))
            callback = url_for(".oauth_authorized",
                               provider=provider,
                               _external=True,
                               _scheme=scheme)
            return self.appbuilder.sm.oauth_remotes[
                provider].authorize_redirect(redirect_uri=callback, )
        except Exception as err:  # pylint: disable=broad-except
            logging.error(f"Error on OAuth authorize: {err}")
            flash(as_unicode(self.invalid_login_message), "warning")
            return redirect(redirect_url)
Beispiel #5
0
    def login_init(self, provider=None):
        logging.debug(f"Provider: {provider}")

        if g.user is not None and g.user.is_authenticated:
            logging.debug(
                f"Provider {provider} is already authenticated by {g.user}")
            return make_response(jsonify(isAuthorized=True))

        redirect_url = request.args.get("redirect_url")
        if not redirect_url or not is_safe_url(redirect_url):
            logging.debug(f"The arg redirect_url not found or not safe")
            return abort(400)

        logging.debug(
            f"Initialization of authorization process for: {provider}")

        # libraries assume that 'redirect_url' should be available in the session
        session['%s_oauthredir' % provider] = redirect_url

        state = self.generateState()
        return make_response(jsonify(isAuthorized=False, state=state))