def authorized():
app = xinniuren_remote_app()
resp = app.authorized_response()
access_token = resp['access_token']
if access_token is None:
logger.warning("Access token missing in call back request.")
flash("Validation error. Please retry.")
return redirect(url_for('redash.login'))
profile = get_user_profile(access_token)
if profile is None:
flash("Validation error. Please retry.")
return redirect(url_for('redash.login'))
if 'org_slug' in session:
org = models.Organization.get_by_slug(session.pop('org_slug'))
else:
org = current_org
if not verify_profile(org, profile):
logger.warning("User tried to login with unauthorized domain name: %s (org: %s)", profile['Email'], org)
flash("Your Google Apps account ({}) isn't allowed.".format(profile['Email']))
return redirect(url_for('redash.login', org_slug=org.slug))
# picture_url = "%s?sz=40" % profile['picture']
picture_url = "/static/images/avatar.svg"
user = create_and_login_user(org, profile['UserName'], profile['Email'], picture_url)
if user is None:
return logout_and_redirect_to_index()
unsafe_next_path = request.args.get('state') or url_for("redash.index", org_slug=org.slug)
next_path = get_next_path(unsafe_next_path)
return redirect(next_path)
def login(org_slug=None):
unsafe_next_path = request.args.get('next')
next_path = get_next_path(unsafe_next_path)
if not settings.REMOTE_USER_LOGIN_ENABLED:
logger.error("Cannot use remote user for login without being enabled in settings")
return redirect(url_for('redash.index', next=next_path, org_slug=org_slug))
email = request.headers.get(settings.REMOTE_USER_HEADER)
# Some Apache auth configurations will, stupidly, set (null) instead of a
# falsey value. Special case that here so it Just Works for more installs.
# '(null)' should never really be a value that anyone wants to legitimately
# use as a redash user email.
if email == '(null)':
email = None
if not email:
logger.error("Cannot use remote user for login when it's not provided in the request (looked in headers['" + settings.REMOTE_USER_HEADER + "'])")
return redirect(url_for('redash.index', next=next_path, org_slug=org_slug))
logger.info("Logging in " + email + " via remote user")
user = create_and_login_user(current_org, email, email)
if user is None:
return logout_and_redirect_to_index()
return redirect(next_path or url_for('redash.index', org_slug=org_slug), code=302)
def login(org_slug=None):
unsafe_next_path = request.args.get('next')
next_path = get_next_path(unsafe_next_path)
if not settings.REMOTE_USER_LOGIN_ENABLED:
logger.error(
"Cannot use remote user for login without being enabled in settings"
)
return redirect(
url_for('redash.index', next=next_path, org_slug=org_slug))
email = request.headers.get(settings.REMOTE_USER_HEADER)
# Some Apache auth configurations will, stupidly, set (null) instead of a
# falsey value. Special case that here so it Just Works for more installs.
# '(null)' should never really be a value that anyone wants to legitimately
# use as a redash user email.
if email == '(null)':
email = None
if not email:
logger.error(
"Cannot use remote user for login when it's not provided in the request (looked in headers['"
+ settings.REMOTE_USER_HEADER + "'])")
return redirect(
url_for('redash.index', next=next_path, org_slug=org_slug))
logger.info("Logging in " + email + " via remote user")
user = create_and_login_user(current_org, email, email)
if user is None:
return logout_and_redirect_to_index()
return redirect(next_path or url_for('redash.index', org_slug=org_slug),
code=302)
def login(org_slug=None):
index_url = url_for("redash.index", org_slug=org_slug)
unsafe_next_path = request.args.get('next', index_url)
next_path = get_next_path(unsafe_next_path)
if not settings.LDAP_LOGIN_ENABLED:
logger.error("Cannot use LDAP for login without being enabled in settings")
return redirect(url_for('redash.index', next=next_path))
if current_user.is_authenticated:
return redirect(next_path)
if request.method == 'POST':
ldap_user = auth_ldap_user(request.form['email'], request.form['password'])
if ldap_user is not None:
user = create_and_login_user(
current_org,
ldap_user[settings.LDAP_DISPLAY_NAME_KEY][0],
ldap_user[settings.LDAP_EMAIL_KEY][0]
)
if user is None:
return logout_and_redirect_to_index()
return redirect(next_path or url_for('redash.index'))
else:
flash("Incorrect credentials.")
return render_template("login.html",
org_slug=org_slug,
next=next_path,
email=request.form.get('email', ''),
show_password_login=True,
username_prompt=settings.LDAP_CUSTOM_USERNAME_PROMPT,
hide_forgot_password=True)
def login(org_slug=None):
index_url = url_for("redash.index", org_slug=org_slug)
unsafe_next_path = request.args.get('next', index_url)
next_path = get_next_path(unsafe_next_path)
if not settings.LDAP_LOGIN_ENABLED:
logger.error("Cannot use LDAP for login without being enabled in settings")
return redirect(url_for('redash.index', next=next_path))
if current_user.is_authenticated:
return redirect(next_path)
if request.method == 'POST':
ldap_user = auth_ldap_user(request.form['email'], request.form['password'])
if ldap_user is not None:
user = create_and_login_user(
current_org,
ldap_user[settings.LDAP_DISPLAY_NAME_KEY][0],
ldap_user[settings.LDAP_EMAIL_KEY][0]
)
if user is None:
return logout_and_redirect_to_index()
return redirect(next_path or url_for('redash.index'))
else:
flash("Incorrect credentials.")
return render_template("login.html",
org_slug=org_slug,
next=next_path,
email=request.form.get('email', ''),
show_password_login=True,
username_prompt=settings.LDAP_CUSTOM_USERNAME_PROMPT,
hide_forgot_password=True)
def authorized():
resp = google_remote_app().authorized_response()
access_token = resp['access_token']
if access_token is None:
logger.warning("Access token missing in call back request.")
flash("Validation error. Please retry.")
return redirect(url_for('redash.login'))
profile = get_user_profile(access_token)
if profile is None:
flash("Validation error. Please retry.")
return redirect(url_for('redash.login'))
if 'org_slug' in session:
org = models.Organization.get_by_slug(session.pop('org_slug'))
else:
org = current_org
if not verify_profile(org, profile):
logger.warning("User tried to login with unauthorized domain name: %s (org: %s)", profile['email'], org)
flash("Your Google Apps account ({}) isn't allowed.".format(profile['email']))
return redirect(url_for('redash.login', org_slug=org.slug))
picture_url = "%s?sz=40" % profile['picture']
user = create_and_login_user(org, profile['name'], profile['email'], picture_url)
if user is None:
return logout_and_redirect_to_index()
unsafe_next_path = request.args.get('state') or url_for("redash.index", org_slug=org.slug)
next_path = get_next_path(unsafe_next_path)
return redirect(next_path)
def login(org_slug=None):
# We intentionally use == as otherwise it won't actually use the proxy. So weird :O
# noinspection PyComparisonWithNone
if current_org == None and not settings.MULTI_ORG:
return redirect("/setup")
elif current_org == None:
return redirect("/")
index_url = url_for("redash.index", org_slug=org_slug)
unsafe_next_path = request.args.get("next", index_url)
next_path = get_next_path(unsafe_next_path)
if current_user.is_authenticated:
return redirect(next_path)
if request.method == "POST" and current_org.get_setting("auth_password_login_enabled"):
try:
org = current_org._get_current_object()
user = models.User.get_by_email_and_org(request.form["email"], org)
if (
user
and not user.is_disabled
and user.verify_password(request.form["password"])
):
remember = "remember" in request.form
login_user(user, remember=remember)
return redirect(next_path)
else:
flash("电子邮箱或密码不正确。")
except NoResultFound:
flash("电子邮箱或密码不正确。")
elif request.method == "POST" and not current_org.get_setting("auth_password_login_enabled"):
flash("当前组织密码不正确。")
google_auth_url = get_google_auth_url(next_path)
return render_template(
"login.html",
org_slug=org_slug,
next=next_path,
email=request.form.get("email", ""),
show_google_openid=settings.GOOGLE_OAUTH_ENABLED,
google_auth_url=google_auth_url,
show_password_login=current_org.get_setting("auth_password_login_enabled"),
show_saml_login=current_org.get_setting("auth_saml_enabled"),
show_remote_user_login=settings.REMOTE_USER_LOGIN_ENABLED,
show_ldap_login=settings.LDAP_LOGIN_ENABLED,
)
def redirect_login():
"""Automatically redirects from /login to /remote_user/login.
"""
login_path = get_login_url(external=False, next=None)
if (settings.REMOTE_USER_LOGIN_ENABLED and not request.is_xhr
and request.path.startswith(login_path)):
org_slug = current_org.slug
index_url = url_for("redash.index", org_slug=org_slug)
unsafe_next_path = request.args.get("next", index_url)
next_path = get_next_path(unsafe_next_path)
remote_login_url = url_for("remote_user_auth.login",
next=next_path,
org_slug=org_slug)
return redirect(remote_login_url)
def login(org_slug=None):
# We intentionally use == as otherwise it won't actually use the proxy. So weird :O
# noinspection PyComparisonWithNone
if current_org == None and not settings.MULTI_ORG:
return redirect('/setup')
elif current_org == None:
return redirect('/')
index_url = url_for('redash.index', org_slug=org_slug)
unsafe_next_path = request.args.get('next', index_url)
next_path = get_next_path(unsafe_next_path)
if current_user.is_authenticated:
return redirect(next_path)
# support cas auth
if settings.CAS_AUTH:
org = current_org._get_current_object()
remember = ('remember' in request.form)
cas_auth(org, remember)
return redirect(next_path)
if request.method == 'POST':
try:
org = current_org._get_current_object()
user = models.User.get_by_email_and_org(request.form['email'], org)
if user and not user.is_disabled and user.verify_password(
request.form['password']):
remember = ('remember' in request.form)
login_user(user, remember=remember)
return redirect(next_path)
else:
flash("Wrong email or password.")
except NoResultFound:
flash("Wrong email or password.")
google_auth_url = get_google_auth_url(next_path)
return render_template(
"login.html",
org_slug=org_slug,
next=next_path,
email=request.form.get('email', ''),
show_google_openid=settings.GOOGLE_OAUTH_ENABLED,
google_auth_url=google_auth_url,
show_password_login=current_org.get_setting(
'auth_password_login_enabled'),
show_saml_login=current_org.get_setting('auth_saml_enabled'),
show_remote_user_login=settings.REMOTE_USER_LOGIN_ENABLED,
show_ldap_login=settings.LDAP_LOGIN_ENABLED)
def authorized():
logger.debug("Authorized user inbound")
resp = oauth.google.authorize_access_token()
user = resp.get("userinfo")
if user:
session["user"] = user
access_token = resp["access_token"]
if access_token is None:
logger.warning("Access token missing in call back request.")
flash("Validation error. Please retry.")
return redirect(url_for("redash.login"))
profile = get_user_profile(access_token)
if profile is None:
flash("Validation error. Please retry.")
return redirect(url_for("redash.login"))
if "org_slug" in session:
org = models.Organization.get_by_slug(session.pop("org_slug"))
else:
org = current_org
if not verify_profile(org, profile):
logger.warning(
"User tried to login with unauthorized domain name: %s (org: %s)",
profile["email"],
org,
)
flash("Your Google Apps account ({}) isn't allowed.".format(
profile["email"]))
return redirect(url_for("redash.login", org_slug=org.slug))
picture_url = "%s?sz=40" % profile["picture"]
user = create_and_login_user(org, profile["name"], profile["email"],
picture_url)
if user is None:
return logout_and_redirect_to_index()
unsafe_next_path = session.get("next_url") or url_for(
"redash.index", org_slug=org.slug)
next_path = get_next_path(unsafe_next_path)
return redirect(next_path)
def login(org_slug=None):
# We intentionally use == as otherwise it won't actually use the proxy. So weird :O
# noinspection PyComparisonWithNone
if current_org == None and not settings.MULTI_ORG:
return redirect('/setup')
elif current_org == None:
return redirect('/')
index_url = url_for('redash.index', org_slug=org_slug)
unsafe_next_path = request.args.get('next', index_url)
next_path = get_next_path(unsafe_next_path)
if current_user.is_authenticated:
return redirect(next_path)
if request.method == 'POST':
try:
org = current_org._get_current_object()
user = models.User.get_by_email_and_org(request.form['email'], org)
if user and not user.is_disabled and user.verify_password(request.form['password']):
remember = ('remember' in request.form)
login_user(user, remember=remember)
return redirect(next_path)
else:
flash("Wrong email or password.")
except NoResultFound:
flash("Wrong email or password.")
google_auth_url = get_google_auth_url(next_path)
return render_template("login.html",
org_slug=org_slug,
next=next_path,
email=request.form.get('email', ''),
show_google_openid=settings.GOOGLE_OAUTH_ENABLED,
google_auth_url=google_auth_url,
show_password_login=current_org.get_setting('auth_password_login_enabled'),
show_saml_login=current_org.get_setting('auth_saml_enabled'),
show_remote_user_login=settings.REMOTE_USER_LOGIN_ENABLED,
show_ldap_login=settings.LDAP_LOGIN_ENABLED)
def check_remote_groups():
"""Check if there is a header of user groups and if yes
check it against a list of allowed user groups from the settings"""
# Quick shortcut out if remote user auth or remote groups aren't enabled
if (
not settings.REMOTE_USER_LOGIN_ENABLED
or not extension_settings.REMOTE_GROUPS_ENABLED
):
return
# Generate the URL to the remote auth login endpoint
if settings.MULTI_ORG:
org = current_org._get_current_object()
remote_auth_path = url_for("remote_user_auth.login", org_slug=org.slug)
else:
remote_auth_path = url_for("remote_user_auth.login")
# Then only act if the request is for the remote user auth view
if request.path.startswith(remote_auth_path):
remote_groups = settings.set_from_string(
request.headers.get(extension_settings.REMOTE_GROUPS_HEADER) or ""
)
# Finally check if the remote groups found in the request header
# intersect with the allowed remote groups
if not extension_settings.REMOTE_GROUPS_ALLOWED.intersection(remote_groups):
logger.error(
"User groups provided in the %s header are not "
"matching the allowed groups.",
extension_settings.REMOTE_GROUPS_HEADER,
)
# Otherwise redirect back to the frontpage
unsafe_next_path = request.args.get("next")
next_path = get_next_path(unsafe_next_path)
if settings.MULTI_ORG:
org = current_org._get_current_object()
index_url = url_for("redash.index", org_slug=org.slug, next=next_path)
else:
index_url = url_for("redash.index", next=next_path)
return redirect(index_url)
def authorized():
code = request.args.get('code')
if code is None:
logger.warning("code missing in call back request.")
flash("Validation error. Please retry.")
return redirect(url_for("redash.login"))
profile = get_user_profile(code)
if profile is None:
flash("Validation error. Please retry.")
return redirect(url_for("redash.login"))
if "org_slug" in session:
org = models.Organization.get_by_slug(session.pop("org_slug"))
else:
org = current_org
if not verify_profile(org, profile):
logger.warning(
"User tried to login with unauthorized domain name: %s (org: %s)",
profile["email"],
org,
)
flash("Your microsoft Apps account ({}) isn't allowed.".format(
profile["email"]))
return redirect(url_for("redash.login", org_slug=org.slug))
picture_url = profile.get('picture')
user = create_and_login_user(org, profile["name"], profile["email"],
picture_url)
if user is None:
return logout_and_redirect_to_index()
unsafe_next_path = request.args.get("state") or url_for("redash.index",
org_slug=org.slug)
next_path = get_next_path(unsafe_next_path)
return redirect(next_path)
