def test_is_request_using_sso_true():
"""
Testing the successful criteria for an sso request.
"""
request = RequestFactory().get('/sso/test')
generator.create_request_session(request, use_sso=True)
eq(is_request_using_sso(request), True)
def test_is_request_using_sso_false_with_session():
"""
Testing the usual case for non-sso requests.
"""
request = RequestFactory().get('/sso/test')
generator.create_request_session(request)
eq(is_request_using_sso(request), False)
def _two_factor_required(view_func, domain_obj, request):
"""
Check if Two Factor Authentication is required.
:param view_func: the view function being accessed
:param domain_obj: Domain instance associated with the view
:param request: Request
:return: Boolean (True if 2FA is required)
"""
exempt = getattr(view_func, 'two_factor_exempt', False)
if exempt:
return False
if not request.couch_user:
return False
if (ENTERPRISE_SSO.enabled_for_request(request)
and is_request_using_sso(request)):
# SSO authenticated users manage two-factor auth on the Identity Provider
# level, so CommCare HQ does not attempt 2FA with them. This is one of
# the reasons we require that domains establish TrustedIdentityProvider
# relationships.
return False
return (
# If a user is a superuser, then there is no two_factor_disabled loophole allowed.
# If you lose your phone, you have to give up superuser privileges
# until you have two factor set up again.
settings.REQUIRE_TWO_FACTOR_FOR_SUPERUSERS
and request.couch_user.is_superuser
) or (
# For other policies requiring two factor auth,
# allow the two_factor_disabled loophole for people who have lost their phones
# and need time to set up two factor auth again.
(domain_obj.two_factor_auth
or TWO_FACTOR_SUPERUSER_ROLLOUT.enabled(request.couch_user.username))
and not request.couch_user.two_factor_disabled)
def _inner(request, *args, **kwargs):
user = request.user
if ((IS_CONTRACTOR.enabled(user.username) or user.is_superuser)
and not is_request_using_sso(request)):
return view_func(request, *args, **kwargs)
else:
return HttpResponseRedirect(reverse("no_permissions"))
def page_context(self):
if not (toggles.ENTERPRISE_SSO.enabled_for_request(self.request)
and is_request_using_sso(self.request)):
return {}
idp = IdentityProvider.get_active_identity_provider_by_username(
self.request.user.username)
return {
'is_using_sso': True,
'idp_name': idp.name,
}
def _inner(req, domain, *args, **kwargs):
user = req.user
domain_name, domain_obj = load_domain(req, domain)
def call_view(): return view_func(req, domain_name, *args, **kwargs)
if not domain_obj:
msg = _('The domain "{domain}" was not found.').format(domain=domain_name)
raise Http404(msg)
if not (user.is_authenticated and user.is_active):
if _is_public_custom_report(req.path, domain_name):
return call_view()
else:
login_url = reverse('domain_login', kwargs={'domain': domain_name})
return redirect_for_login_or_domain(req, login_url=login_url)
couch_user = _ensure_request_couch_user(req)
if not domain_obj.is_active:
return _inactive_domain_response(req, domain_name)
if domain_obj.is_snapshot:
if not hasattr(req, 'couch_user') or not req.couch_user.is_previewer():
raise Http404()
return call_view()
if couch_user.is_member_of(domain_obj, allow_mirroring=True):
if _is_missing_two_factor(view_func, req):
return TemplateResponse(request=req, template='two_factor/core/otp_required.html', status=403)
elif not _can_access_project_page(req):
return _redirect_to_project_access_upgrade(req)
elif (ENTERPRISE_SSO.enabled_for_request(req) # safety check. next line was not formally QA'd yet
and is_request_blocked_from_viewing_domain_due_to_sso(req, domain_obj)):
# Important! Make sure this is always the final check prior
# to returning call_view() below
return render_untrusted_identity_provider_for_domain_view(req, domain_obj)
else:
return call_view()
elif user.is_superuser:
if domain_obj.restrict_superusers and not _page_is_whitelisted(req.path, domain_obj.name):
from corehq.apps.hqwebapp.views import no_permissions
msg = "This project space restricts superuser access. You must request an invite to access it."
return no_permissions(req, message=msg)
if not _can_access_project_page(req):
return _redirect_to_project_access_upgrade(req)
if (ENTERPRISE_SSO.enabled_for_request(req) # safety check. next line was not formally QA'd yet
and is_request_using_sso(req)):
# We will not support SSO for superusers at this time
return HttpResponseForbidden(
"SSO support is not currently available for superusers."
)
return call_view()
elif couch_user.is_web_user() and domain_obj.allow_domain_requests:
from corehq.apps.users.views.web import DomainRequestView
return DomainRequestView.as_view()(req, *args, **kwargs)
else:
raise Http404
def page_context(self):
is_using_sso = is_request_using_sso(self.request)
idp_name = None
if is_using_sso:
idp = IdentityProvider.get_active_identity_provider_by_username(
self.request.user.username)
idp_name = idp.name
return {
'form': self.password_change_form,
'hide_password_feedback': has_custom_clean_password(),
'is_using_sso': is_using_sso,
'idp_name': idp_name,
}
def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs)
if is_request_using_sso(self.request):
idp = IdentityProvider.get_active_identity_provider_by_username(
self.request.user.username)
context.update({
'is_using_sso': True,
'idp_name': idp.name,
})
elif context.get('default_device'):
# Default device means the user has 2FA already enabled
has_existing_backup_phones = bool(context.get('backup_phones'))
context.update({
'allow_phone_2fa':
has_existing_backup_phones
or _user_can_use_phone(self.request.couch_user),
})
return context
def permissions_check(self, report, request, domain=None, is_navigation_check=False):
return (
hasattr(request, 'couch_user')
and request.user.has_perm("is_superuser")
and not is_request_using_sso(request)
)
def test_is_request_using_sso_false_without_session():
"""
Make sure this call is safe even when session is missing from the request.
"""
request = RequestFactory().get('/sso/test')
eq(is_request_using_sso(request), False)
def _inner(request, *args, **kwargs):
user = request.user
if user.is_superuser and not is_request_using_sso(request):
return view_func(request, *args, **kwargs)
else:
return HttpResponseRedirect(reverse("no_permissions"))