def handle_auth_success(self, auth_info): """Called after a successful authentication This method calls :meth:`login_finished` with the found identity. If ``MULTIPASS_ALL_MATCHING_IDENTITIES`` is set, it will pass a list of identities. If ``MULTIPASS_REQUIRE_IDENTITY`` is set, :exc:`.IdentityRetrievalFailed` will be raised if no identities were found, otherwise ``None`` or and empty list will be passed. :param auth_info: An :class:`.AuthInfo` instance containing data that can be used to retrieve the user's unique identity. :return: A Flask response """ links = self.provider_map[auth_info.provider.name] identities = [] for link in links: provider = self.identity_providers[link['identity_provider']] mapping = link.get('mapping', {}) identity_info = provider.get_identity_from_auth(auth_info.map(mapping)) if identity_info is None: continue identities.append(identity_info) if not current_app.config['MULTIPASS_ALL_MATCHING_IDENTITIES']: break if not identities and current_app.config['MULTIPASS_REQUIRE_IDENTITY']: raise IdentityRetrievalFailed("No identity found", provider=auth_info.provider) session['_multipass_login_provider'] = auth_info.provider.name if current_app.config['MULTIPASS_ALL_MATCHING_IDENTITIES']: response = self.login_finished(identities) else: response = self.login_finished(identities[0] if identities else None) return response or self.redirect_success()
def get_identity_from_auth(self, auth_info): identifier = auth_info.data.get(self.id_field) if not identifier: raise IdentityRetrievalFailed( 'Identifier ({}) missing in authlib response'.format( self.id_field), provider=self) return IdentityInfo(self, identifier=identifier, **auth_info.data)
def _get_identity(self, token): resp = self.oauth_app.request(self.settings['endpoint'], method=self.settings['method'], token=(token, None)) if resp.status not in self.settings['valid_statuses']: raise IdentityRetrievalFailed('Could not retrieve identity data') elif resp.status == 404: return None identifier = resp.data[self.settings['identifier_field']] multipass_data = {'oauth_token': token} return IdentityInfo(self, identifier, multipass_data, **resp.data)
def get_identity(self, provider, identifier): """Retrieves user identity information from a provider. This method is similar to :meth:`refresh_identity` but does not require `multiauth_data`. :param identifier: The unique user identifier used by the provider. :return: An :class:`.IdentityInfo` instance or ``None`` if the identity does not exist. """ try: provider = self.identity_providers[provider] except KeyError: raise IdentityRetrievalFailed('Provider does not exist: ' + provider) if not provider.supports_get: raise IdentityRetrievalFailed('Provider does not support getting identities: ' + provider.name, provider=provider) return provider.get_identity(identifier)
def refresh_identity(self, identifier, multipass_data): """Retrieves user identity information for an existing identity :param identifier: The `identifier` from :class:`.IdentityInfo` :param multipass_data: The `multipass_data` dict from :class:`.IdentityInfo` :return: An :class:`.IdentityInfo` instance or ``None`` if the identity does not exist anymore. """ if multipass_data is None: raise ValueError('This identity cannot be refreshed') provider_name = multipass_data['_provider'] try: provider = self.identity_providers[provider_name] except KeyError: raise IdentityRetrievalFailed('Provider does not exist: ' + provider_name) if not provider.supports_refresh: raise IdentityRetrievalFailed('Provider does not support refreshing: ' + provider_name, provider=provider) return provider.refresh_identity(identifier, multipass_data)
def search_identities(self, criteria, exact=False): with ldap_context(self.ldap_settings): search_filter = build_user_search_filter(criteria, self.settings['mapping'], exact=exact) if not search_filter: raise IdentityRetrievalFailed( "Unable to generate search filter from criteria") for _, user_data in self._search_users(search_filter): yield IdentityInfo( self, identifier=user_data[self.ldap_settings['uid']][0], **to_unicode(user_data))
def _get_identity(self, token): resp = self.oauth_app.request(self.settings['method'], self.settings['endpoint'], token=token) if resp.status_code not in self.settings['valid_statuses']: raise IdentityRetrievalFailed('Could not retrieve identity data', provider=self) elif resp.status_code == 404: return None data = resp.json() identifier = data[self.settings['identifier_field']] multipass_data = {'oauth_token': token} return IdentityInfo(self, identifier, multipass_data, **data)
def get_user_by_id(uid, attributes=None): """Retrieves a user's data from LDAP, given its identifier. :param uid: str -- the identifier of the user :param attributes: list -- Attributes to be retrieved for the user. If ``None``, all attributes will be retrieved. :raises IdentityRetrievalFailed: If the identifier is falsely. :return: A tuple containing the `dn` of the user as ``str`` and the found attributes in a ``dict``. """ if not uid: raise IdentityRetrievalFailed("No identifier specified") user_filter = build_user_search_filter({current_ldap.settings['uid']: {uid}}, exact=True) return find_one(current_ldap.settings['user_base'], user_filter, attributes=attributes)
def has_member(self, user_identifier): with ldap_context(self.ldap_settings): user_dn, user_data = get_user_by_id( user_identifier, attributes=[self.ldap_settings['member_of_attr']]) if not user_dn: raise IdentityRetrievalFailed('No such user: '******'ad_group_style']: group_dn, group_data = get_group_by_id( self.name, attributes=['objectSid']) group_sids = group_data.get('objectSid') token_groups = get_token_groups_from_user_dn(user_dn) return any(group_sid in token_groups for group_sid in group_sids) else: return self.dn in user_data.get( self.ldap_settings['member_of_attr'], [])
def get_identity_from_auth(self, auth_info): identifier = auth_info.data.get(self.id_field) if not identifier: raise IdentityRetrievalFailed( 'Identifier missing in shibboleth response', provider=self) return IdentityInfo(self, identifier=identifier, **auth_info.data)
def get_identity_from_auth(self, auth_info): identifier = auth_info.data.get(self.settings['identifier_field']) if not identifier: raise IdentityRetrievalFailed( 'Identifier missing in shibboleth response') return IdentityInfo(self, identifier=identifier, **auth_info.data)
def get_identity_from_auth(self, auth_info): identifier = auth_info.data.get('_username') if not identifier: raise IdentityRetrievalFailed("Identifier missing in CAS response") return IdentityInfo(self, identifier=identifier, **auth_info.data)