def _get_session_by_ext_id(self,
sec_type,
sec_def_id,
ext_session_id=None,
_utcnow=datetime.utcnow):
with closing(self.odb_session_func()) as session:
return get_session_by_ext_id(session, ext_session_id, _utcnow())
def on_external_auth_succeeded(self,
cid,
sec_def,
user_id,
ext_session_id,
current_app,
remote_addr,
user_agent=None,
_basic_auth=SEC_DEF_TYPE.BASIC_AUTH,
_jwt=SEC_DEF_TYPE.JWT,
_utcnow=datetime.utcnow,
_sha256=sha256):
""" Invoked when a user succeeded in authentication via means external to default SSO credentials,
e.g. through Basic Auth or JWT. Creates an SSO session related to that event or renews an existing one.
"""
# type: (unicode, Bunch, unicode, unicode, unicode, unicode) -> SessionInfo
# PII audit comes first
audit_pii.info(cid,
'session.on_external_auth_succeeded',
extra={
'current_app': current_app,
'remote_addr': remote_addr,
'sec.sec_type': sec_def.sec_type,
'sec.id': sec_def.id,
'sec.username': sec_def.username,
})
if sec_def.sec_type == _basic_auth:
ext_session_id = '{}.{}'.format(sec_def.sec_type, sec_def.id)
elif sec_def.sec_type == _jwt:
# JWT tokens tend to be long so we store and hashes rather than raw values
ext_session_id = _sha256(ext_session_id).hexdigest()
else:
raise NotImplementedError()
existing_ust = None # type: unicode
# Check if there is already a session associated with this external one
with closing(self.odb_session_func()) as session:
sso_session = get_session_by_ext_id(session, ext_session_id,
_utcnow())
if sso_session:
existing_ust = sso_session.ust
# .. if there is, renew it ..
if existing_ust:
self.renew(cid, existing_ust, current_app, remote_addr, user_agent,
False)
# .. otherwise, create a new one. Note that we get here only if
else:
ctx = LoginCtx(remote_addr, user_agent, False, False, {
'user_id': user_id,
'current_app': current_app
}, ext_session_id)
return self.login(ctx, is_logged_in_ext=True)