def handle_auth_success(self, auth_info):
"""Called after a successful authentication
This method calls :meth:`login_finished` with the found
identity. If ``MULTIPASS_ALL_MATCHING_IDENTITIES`` is set, it
will pass a list of identities. If ``MULTIPASS_REQUIRE_IDENTITY``
is set, :exc:`.IdentityRetrievalFailed` will be raised if no
identities were found, otherwise ``None`` or and empty list
will be passed.
:param auth_info: An :class:`.AuthInfo` instance containing
data that can be used to retrieve the user's
unique identity.
:return: A Flask response
"""
links = self.provider_map[auth_info.provider.name]
identities = []
for link in links:
provider = self.identity_providers[link['identity_provider']]
mapping = link.get('mapping', {})
identity_info = provider.get_identity_from_auth(auth_info.map(mapping))
if identity_info is None:
continue
identities.append(identity_info)
if not current_app.config['MULTIPASS_ALL_MATCHING_IDENTITIES']:
break
if not identities and current_app.config['MULTIPASS_REQUIRE_IDENTITY']:
raise IdentityRetrievalFailed("No identity found", provider=auth_info.provider)
session['_multipass_login_provider'] = auth_info.provider.name
if current_app.config['MULTIPASS_ALL_MATCHING_IDENTITIES']:
response = self.login_finished(identities)
else:
response = self.login_finished(identities[0] if identities else None)
return response or self.redirect_success()
def get_identity_from_auth(self, auth_info):
identifier = auth_info.data.get(self.id_field)
if not identifier:
raise IdentityRetrievalFailed(
'Identifier ({}) missing in authlib response'.format(
self.id_field),
provider=self)
return IdentityInfo(self, identifier=identifier, **auth_info.data)
def _get_identity(self, token):
resp = self.oauth_app.request(self.settings['endpoint'], method=self.settings['method'], token=(token, None))
if resp.status not in self.settings['valid_statuses']:
raise IdentityRetrievalFailed('Could not retrieve identity data')
elif resp.status == 404:
return None
identifier = resp.data[self.settings['identifier_field']]
multipass_data = {'oauth_token': token}
return IdentityInfo(self, identifier, multipass_data, **resp.data)
def get_identity(self, provider, identifier):
"""Retrieves user identity information from a provider.
This method is similar to :meth:`refresh_identity` but does
not require `multiauth_data`.
:param identifier: The unique user identifier used by the
provider.
:return: An :class:`.IdentityInfo` instance or ``None`` if the
identity does not exist.
"""
try:
provider = self.identity_providers[provider]
except KeyError:
raise IdentityRetrievalFailed('Provider does not exist: ' + provider)
if not provider.supports_get:
raise IdentityRetrievalFailed('Provider does not support getting identities: ' + provider.name,
provider=provider)
return provider.get_identity(identifier)
def refresh_identity(self, identifier, multipass_data):
"""Retrieves user identity information for an existing identity
:param identifier: The `identifier` from :class:`.IdentityInfo`
:param multipass_data: The `multipass_data` dict from
:class:`.IdentityInfo`
:return: An :class:`.IdentityInfo` instance or ``None`` if the
identity does not exist anymore.
"""
if multipass_data is None:
raise ValueError('This identity cannot be refreshed')
provider_name = multipass_data['_provider']
try:
provider = self.identity_providers[provider_name]
except KeyError:
raise IdentityRetrievalFailed('Provider does not exist: ' + provider_name)
if not provider.supports_refresh:
raise IdentityRetrievalFailed('Provider does not support refreshing: ' + provider_name, provider=provider)
return provider.refresh_identity(identifier, multipass_data)
def search_identities(self, criteria, exact=False):
with ldap_context(self.ldap_settings):
search_filter = build_user_search_filter(criteria,
self.settings['mapping'],
exact=exact)
if not search_filter:
raise IdentityRetrievalFailed(
"Unable to generate search filter from criteria")
for _, user_data in self._search_users(search_filter):
yield IdentityInfo(
self,
identifier=user_data[self.ldap_settings['uid']][0],
**to_unicode(user_data))
def _get_identity(self, token):
resp = self.oauth_app.request(self.settings['method'],
self.settings['endpoint'],
token=token)
if resp.status_code not in self.settings['valid_statuses']:
raise IdentityRetrievalFailed('Could not retrieve identity data',
provider=self)
elif resp.status_code == 404:
return None
data = resp.json()
identifier = data[self.settings['identifier_field']]
multipass_data = {'oauth_token': token}
return IdentityInfo(self, identifier, multipass_data, **data)
def get_user_by_id(uid, attributes=None):
"""Retrieves a user's data from LDAP, given its identifier.
:param uid: str -- the identifier of the user
:param attributes: list -- Attributes to be retrieved for the user.
If ``None``, all attributes will be retrieved.
:raises IdentityRetrievalFailed: If the identifier is falsely.
:return: A tuple containing the `dn` of the user as ``str`` and the
found attributes in a ``dict``.
"""
if not uid:
raise IdentityRetrievalFailed("No identifier specified")
user_filter = build_user_search_filter({current_ldap.settings['uid']: {uid}}, exact=True)
return find_one(current_ldap.settings['user_base'], user_filter, attributes=attributes)
def has_member(self, user_identifier):
with ldap_context(self.ldap_settings):
user_dn, user_data = get_user_by_id(
user_identifier,
attributes=[self.ldap_settings['member_of_attr']])
if not user_dn:
raise IdentityRetrievalFailed('No such user: '******'ad_group_style']:
group_dn, group_data = get_group_by_id(
self.name, attributes=['objectSid'])
group_sids = group_data.get('objectSid')
token_groups = get_token_groups_from_user_dn(user_dn)
return any(group_sid in token_groups
for group_sid in group_sids)
else:
return self.dn in user_data.get(
self.ldap_settings['member_of_attr'], [])
def get_identity_from_auth(self, auth_info):
identifier = auth_info.data.get(self.id_field)
if not identifier:
raise IdentityRetrievalFailed(
'Identifier missing in shibboleth response', provider=self)
return IdentityInfo(self, identifier=identifier, **auth_info.data)
def get_identity_from_auth(self, auth_info):
identifier = auth_info.data.get(self.settings['identifier_field'])
if not identifier:
raise IdentityRetrievalFailed(
'Identifier missing in shibboleth response')
return IdentityInfo(self, identifier=identifier, **auth_info.data)
def get_identity_from_auth(self, auth_info):
identifier = auth_info.data.get('_username')
if not identifier:
raise IdentityRetrievalFailed("Identifier missing in CAS response")
return IdentityInfo(self, identifier=identifier, **auth_info.data)
