def process_request(self, request):
# AuthenticationMiddleware is required so that request.user exists.
if not hasattr(request, "user"):
raise ImproperlyConfigured(
"The Django remote user auth middleware requires the"
" authentication middleware to be installed. Edit your"
" MIDDLEWARE_CLASSES setting to insert"
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
" before the RemoteUserMiddleware class."
)
# To support logout. If this variable is True, do not
# authenticate user and return now.
if request.session.get(LOGOUT_SESSION_KEY) == True:
return
else:
# Delete the shib reauth session key if present.
request.session.pop(LOGOUT_SESSION_KEY, None)
# Locate the remote user header.
# import pprint; pprint.pprint(request.META)
try:
username = request.META[SHIB_USER_HEADER]
except KeyError:
# If specified header doesn't exist then return (leaving
# request.user set to AnonymousUser by the
# AuthenticationMiddleware).
return
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
# persisted in the session and we don't need to continue.
if request.user.is_authenticated():
if request.user.username == username:
if request.user.is_staff:
update_sudo_mode_ts(request)
return
# Make sure we have all required Shiboleth elements before proceeding.
shib_meta, error = self.parse_attributes(request)
# Add parsed attributes to the session.
request.session["shib"] = shib_meta
if error:
raise ShibbolethValidationError("All required Shibboleth elements" " not found. %s" % shib_meta)
# We are seeing this user for the first time in this session, attempt
# to authenticate the user.
user = auth.authenticate(remote_user=username, shib_meta=shib_meta)
if user:
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
user.set_unusable_password()
user.save()
# call make profile.
self.make_profile(user, shib_meta)
# setup session.
self.setup_session(request)
request.shib_login = True
def process_request(self, request):
protected_paths = [item.strip().strip('/') for item in self.protected_paths]
if request.path.strip('/') not in protected_paths:
return
# AuthenticationMiddleware is required so that request.user exists.
if not hasattr(request, 'user'):
raise ImproperlyConfigured(
"The Django remote user auth middleware requires the"
" authentication middleware to be installed. Edit your"
" MIDDLEWARE setting to insert"
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
" before the RemoteUserMiddleware class.")
try:
username = request.META[self.header]
except KeyError:
if settings.DEBUG:
assert False
# If specified header doesn't exist then remove any existing
# authenticated remote-user, or return (leaving request.user set to
# AnonymousUser by the AuthenticationMiddleware).
if self.force_logout_if_no_header and request.user.is_authenticated(
):
self._remove_invalid_user(request)
return
if self.remote_user_domain:
username = username.split('@')[0] + '@' + self.remote_user_domain
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
# persisted in the session and we don't need to continue.
if request.user.is_authenticated():
if request.user.get_username() == self.clean_username(
username, request):
if request.user.is_staff:
update_sudo_mode_ts(request)
# add a mark to generate api token and set cookie
request.remote_user_authentication = True
return
else:
# An authenticated user is associated with the request, but
# it does not match the authorized user in the header.
self._remove_invalid_user(request)
# We are seeing this user for the first time in this session, attempt
# to authenticate the user.
user = auth.authenticate(request=request, remote_user=username)
if user:
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
# add a mark to generate api token and set cookie
request.remote_user_authentication = True
def register(self, request, **kwargs):
"""
Given a username, email address and password, register a new
user account, which will initially be inactive.
Along with the new ``User`` object, a new
``registration.models.RegistrationProfile`` will be created,
tied to that ``User``, containing the activation key which
will be used for this account.
An email will be sent to the supplied email address; this
email should contain an activation link. The email will be
rendered using two templates. See the documentation for
``RegistrationProfile.send_activation_email()`` for
information about these templates and the contexts provided to
them.
After the ``User`` and ``RegistrationProfile`` are created and
the activation email is sent, the signal
``registration.signals.user_registered`` will be sent, with
the new ``User`` as the keyword argument ``user`` and the
class of this backend as the sender.
"""
email, password = kwargs['email'], kwargs['password1']
username = email
if Site._meta.installed:
site = Site.objects.get_current()
else:
site = RequestSite(request)
from registration.models import RegistrationProfile
if settings.ACTIVATE_AFTER_REGISTRATION == True:
# since user will be activated after registration,
# so we will not use email sending, just create acitvated user
new_user = RegistrationProfile.objects.create_active_user(username, email,
password, site,
send_email=False)
# login the user
new_user.backend=settings.AUTHENTICATION_BACKENDS[0]
login(request, new_user)
else:
# create inactive user, user can be activated by admin, or through activated email
new_user = RegistrationProfile.objects.create_inactive_user(username, email,
password, site,
send_email=settings.REGISTRATION_SEND_MAIL)
userid = kwargs['userid']
if userid:
ccnet_threaded_rpc.add_binding(new_user.username, userid)
signals.user_registered.send(sender=self.__class__,
user=new_user,
request=request)
return new_user
def done(self, form_list, **kwargs):
"""
Login the user and redirect to the desired page.
"""
login(self.request, self.get_user())
redirect_to = self.request.GET.get(self.redirect_field_name, '')
if not is_safe_url(url=redirect_to, host=self.request.get_host()):
redirect_to = str(settings.LOGIN_REDIRECT_URL)
device = getattr(self.get_user(), 'otp_device', None)
if device:
signals.user_verified.send(sender=__name__, request=self.request,
user=self.get_user(), device=device)
return redirect(redirect_to)
def activate(self, request, activation_key):
"""
Given an an activation key, look up and activate the user
account corresponding to that key (if possible).
After successful activation, the signal
``registration.signals.user_activated`` will be sent, with the
newly activated ``User`` as the keyword argument ``user`` and
the class of this backend as the sender.
"""
from registration.models import RegistrationProfile
activated = RegistrationProfile.objects.activate_user(activation_key)
if activated:
signals.user_activated.send(sender=self.__class__, user=activated, request=request)
# login the user
activated.backend = settings.AUTHENTICATION_BACKENDS[0]
login(request, activated)
return activated
def oauth_callback(request):
""" Step 3: Retrieving an access token.
The user has been redirected back from the provider to your registered
callback URL. With this redirection comes an authorization code included
in the redirect URL. We will use that to obtain an access token.
"""
session = OAuth2Session(client_id=CLIENT_ID,
scope=SCOPE,
state=request.session.get('oauth_state', None),
redirect_uri=REDIRECT_URL)
try:
token = session.fetch_token(
TOKEN_URL,
client_secret=CLIENT_SECRET,
authorization_response=request.get_full_path())
if session._client.__dict__['token'].has_key('user_id'):
# used for sjtu.edu.cn
# https://xjq12311.gitbooks.io/sjtu-engtc/content/
user_id = session._client.__dict__['token']['user_id']
user_info_resp = session.get(USER_INFO_URL +
'?user_id=%s' % user_id)
else:
user_info_url = USER_INFO_URL
if ACCESS_TOKEN_IN_URI:
code = request.GET.get('code')
user_info_url = USER_INFO_URL + '?access_token=%s&code=%s' % (
token['access_token'], code)
user_info_resp = session.get(user_info_url)
except Exception as e:
logger.error(e)
return render_error(request, _('Error, please contact administrator.'))
def format_user_info(user_info_resp):
logger.info('user info resp: %s' % user_info_resp.text)
error = False
user_info = {}
user_info_json = user_info_resp.json()
for item, attr in ATTRIBUTE_MAP.items():
required, user_attr = attr
value = user_info_json.get(item, '')
if value:
# ccnet email
if user_attr == 'email':
user_info[user_attr] = value if is_valid_email(str(value)) else \
'%s@%s' % (str(value), PROVIDER_DOMAIN)
else:
user_info[user_attr] = value
elif required:
error = True
return user_info, error
user_info, error = format_user_info(user_info_resp)
if error:
logger.error('Required user info not found.')
logger.error(user_info)
return render_error(request, _('Error, please contact administrator.'))
# seahub authenticate user
email = user_info['email']
try:
user = auth.authenticate(remote_user=email)
except User.DoesNotExist:
user = None
if not user or not user.is_active:
logger.error('User %s not found or inactive.' % email)
# a page for authenticate user failed
return render_error(request, _(u'User %s not found.') % email)
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
# update user's profile
name = user_info['name'] if user_info.has_key('name') else ''
contact_email = user_info['contact_email'] if \
user_info.has_key('contact_email') else ''
profile = Profile.objects.get_profile_by_user(email)
if not profile:
profile = Profile(user=email)
if name:
profile.nickname = name.strip()
profile.save()
if contact_email:
profile.contact_email = contact_email.strip()
profile.save()
# generate auth token for Seafile client
api_token = get_api_token(request)
# redirect user to home page
response = HttpResponseRedirect(request.session['oauth_redirect'])
response.set_cookie('seahub_auth', email + '@' + api_token.key)
return response
def register(self, request, **kwargs):
"""
Given a username, email address and password, register a new
user account, which will initially be inactive.
Along with the new ``User`` object, a new
``registration.models.RegistrationProfile`` will be created,
tied to that ``User``, containing the activation key which
will be used for this account.
An email will be sent to the supplied email address; this
email should contain an activation link. The email will be
rendered using two templates. See the documentation for
``RegistrationProfile.send_activation_email()`` for
information about these templates and the contexts provided to
them.
After the ``User`` and ``RegistrationProfile`` are created and
the activation email is sent, the signal
``registration.signals.user_registered`` will be sent, with
the new ``User`` as the keyword argument ``user`` and the
class of this backend as the sender.
"""
email, password = kwargs['email'], kwargs['password1']
username = email
if Site._meta.installed:
site = Site.objects.get_current()
else:
site = RequestSite(request)
from registration.models import RegistrationProfile
if settings.ACTIVATE_AFTER_REGISTRATION == True:
# since user will be activated after registration,
# so we will not use email sending, just create acitvated user
new_user = RegistrationProfile.objects.create_active_user(username, email,
password, site,
send_email=False)
# login the user
new_user.backend=settings.AUTHENTICATION_BACKENDS[0]
login(request, new_user)
else:
# create inactive user, user can be activated by admin, or through activated email
new_user = RegistrationProfile.objects.create_inactive_user(username, email,
password, site,
send_email=settings.REGISTRATION_SEND_MAIL)
# userid = kwargs['userid']
# if userid:
# ccnet_threaded_rpc.add_binding(new_user.username, userid)
if settings.REQUIRE_DETAIL_ON_REGISTRATION:
name = kwargs['name']
department = kwargs['department']
telephone = kwargs['telephone']
note = kwargs['note']
Profile.objects.add_or_update(new_user.username, name, note)
DetailedProfile.objects.add_detailed_profile(new_user.username,
department,
telephone)
signals.user_registered.send(sender=self.__class__,
user=new_user,
request=request)
return new_user
def dingtalk_callback(request):
if not ENABLE_DINGTALK:
return render_error(request, _('Error, please contact administrator.'))
state = request.GET.get('state', '')
if not state or state != request.session.get('dingtalk_login_state', ''):
logger.error('invalid state')
return render_error(request, _('Error, please contact administrator.'))
timestamp = str(int(time.time()*1000)).encode('utf-8')
appsecret = DINGTALK_QR_CONNECT_APP_SECRET.encode('utf-8')
signature = base64.b64encode(hmac.new(appsecret, timestamp, digestmod=sha256).digest())
parameters = {
'accessKey': DINGTALK_QR_CONNECT_APP_ID,
'timestamp': timestamp,
'signature': signature,
}
code = request.GET.get('code')
data = {"tmp_auth_code": code}
full_user_info_url = DINGTALK_QR_CONNECT_USER_INFO_URL + '?' + urllib.parse.urlencode(parameters)
user_info_resp = requests.post(full_user_info_url, data=json.dumps(data))
user_info = user_info_resp.json()['user_info']
# seahub authenticate user
if 'unionid' not in user_info:
logger.error('Required user info not found.')
logger.error(user_info)
return render_error(request, _('Error, please contact administrator.'))
auth_user = SocialAuthUser.objects.get_by_provider_and_uid('dingtalk', user_info['unionid'])
if auth_user:
email = auth_user.username
else:
email = gen_user_virtual_id()
SocialAuthUser.objects.add(email, 'dingtalk', user_info['unionid'])
try:
user = auth.authenticate(remote_user=email)
except User.DoesNotExist:
user = None
except Exception as e:
logger.error(e)
return render_error(request, _('Error, please contact administrator.'))
if not user or not user.is_active:
return render_error(request, _('User %s not found or inactive.') % email)
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
request.session['remember_me'] = DINGTALK_QR_CONNECT_LOGIN_REMEMBER_ME
auth.login(request, user)
# update user's profile
name = user_info['nick'] if 'nick' in user_info else ''
if name:
profile = Profile.objects.get_profile_by_user(email)
if not profile:
profile = Profile(user=email)
profile.nickname = name.strip()
profile.save()
# generate auth token for Seafile client
api_token = get_api_token(request)
# redirect user to home page
response = HttpResponseRedirect(request.session['dingtalk_login_redirect'])
response.set_cookie('seahub_auth', email + '@' + api_token.key)
return response
def work_weixin_oauth_callback(request):
if not work_weixin_oauth_check():
return render_error(request, _('Feature is not enabled.'))
code = request.GET.get('code', None)
state = request.GET.get('state', None)
if state != request.session.get('work_weixin_oauth_state',
None) or not code:
logger.error(
'can not get right code or state from work weixin request')
return render_error(request, _('Error, please contact administrator.'))
access_token = get_work_weixin_access_token()
if not access_token:
logger.error('can not get work weixin access_token')
return render_error(request, _('Error, please contact administrator.'))
data = {
'access_token': access_token,
'code': code,
}
api_response = requests.get(WORK_WEIXIN_GET_USER_INFO_URL, params=data)
api_response_dic = handler_work_weixin_api_response(api_response)
if not api_response_dic:
logger.error('can not get work weixin user info')
return render_error(request, _('Error, please contact administrator.'))
if not api_response_dic.get('UserId', None):
logger.error('can not get UserId in work weixin user info response')
return render_error(request, _('Error, please contact administrator.'))
user_id = api_response_dic.get('UserId')
uid = WORK_WEIXIN_UID_PREFIX + user_id
work_weixin_user = SocialAuthUser.objects.get_by_provider_and_uid(
WORK_WEIXIN_PROVIDER, uid)
if work_weixin_user:
email = work_weixin_user.username
is_new_user = False
else:
email = gen_user_virtual_id()
is_new_user = True
try:
user = auth.authenticate(remote_user=email)
except User.DoesNotExist:
user = None
except Exception as e:
logger.error(e)
return render_error(request, _('Error, please contact administrator.'))
if not user:
return render_error(
request,
_('Error, new user registration is not allowed, please contact administrator.'
))
if is_new_user:
SocialAuthUser.objects.add(email, WORK_WEIXIN_PROVIDER, uid)
# update user info
if is_new_user or WORK_WEIXIN_USER_INFO_AUTO_UPDATE:
user_info_data = {
'access_token': access_token,
'userid': user_id,
}
user_info_api_response = requests.get(WORK_WEIXIN_GET_USER_PROFILE_URL,
params=user_info_data)
user_info_api_response_dic = handler_work_weixin_api_response(
user_info_api_response)
if user_info_api_response_dic:
api_user = user_info_api_response_dic
api_user['username'] = email
api_user['contact_email'] = api_user['email']
update_work_weixin_user_info(api_user)
if not user.is_active:
return render_error(
request,
_('Your account is created successfully, please wait for administrator to activate your account.'
))
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
request.session['remember_me'] = REMEMBER_ME
auth.login(request, user)
# generate auth token for Seafile client
api_token = get_api_token(request)
# redirect user to page
response = HttpResponseRedirect(
request.session.get('work_weixin_oauth_redirect', '/'))
response.set_cookie('seahub_auth', user.username + '@' + api_token.key)
return response
def process_request(self, request):
# AuthenticationMiddleware is required so that request.user exists.
if not hasattr(request, 'user'):
raise ImproperlyConfigured(
"The Django remote user auth middleware requires the"
" authentication middleware to be installed. Edit your"
" MIDDLEWARE_CLASSES setting to insert"
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
" before the RemoteUserMiddleware class.")
#To support logout. If this variable is True, do not
#authenticate user and return now.
if request.session.get(LOGOUT_SESSION_KEY) is True:
return
else:
#Delete the shib reauth session key if present.
request.session.pop(LOGOUT_SESSION_KEY, None)
#Locate the remote user header.
# import pprint; pprint.pprint(request.META)
try:
username = request.META[SHIB_USER_HEADER]
except KeyError:
# If specified header doesn't exist then return (leaving
# request.user set to AnonymousUser by the
# AuthenticationMiddleware).
return
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
# persisted in the session and we don't need to continue.
if request.user.is_authenticated():
if request.user.username == username:
if request.user.is_staff:
update_sudo_mode_ts(request)
return
# Make sure we have all required Shiboleth elements before proceeding.
shib_meta, error = self.parse_attributes(request)
# Add parsed attributes to the session.
request.session['shib'] = shib_meta
if error:
raise ShibbolethValidationError("All required Shibboleth elements"
" not found. %s" % shib_meta)
# We are seeing this user for the first time in this session, attempt
# to authenticate the user.
user = auth.authenticate(remote_user=username, shib_meta=shib_meta)
if user:
if not user.is_active:
return HttpResponseRedirect(reverse('shib_complete'))
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
user.set_unusable_password()
user.save()
# call make profile.
self.make_profile(user, shib_meta)
user_role = self.update_user_role(user, shib_meta)
if user_role:
self.update_user_quota(user, user_role)
#setup session.
self.setup_session(request)
request.shib_login = True
