def saml():
if "saml" not in syllabus.get_config()['authentication_methods']:
abort(404)
req = prepare_request(request)
req['request_uri'] = request.path # hack to ensure to have the correct path and to avoid RelayState loops
auth = init_saml_auth(req, saml_config)
# if 'sso' in request.args:
# return
if request.method == "GET":
return redirect(auth.login())
else:
auth.process_response()
errors = auth.get_errors()
# Try and check if IdP is using several signature certificates
# This is a limitation of python3-saml
for cert in saml_config["idp"].get("additionalX509certs", []):
if auth.get_last_error_reason(
) == "Signature validation failed. SAML Response rejected":
import copy
# Change used IdP certificate
new_settings = copy.deepcopy(saml_config)
new_settings["idp"]["x509cert"] = cert
# Retry processing response
auth = init_saml_auth(req, new_settings)
auth.process_response()
errors = auth.get_errors()
if len(errors) == 0:
attrs = auth.get_attributes()
# session['samlNameId'] = auth.get_nameid()
# session['samlSessionIndex'] = auth.get_session_index()
username = attrs[saml_config['sp']['attrs']['username']][0]
realname = attrs[saml_config['sp']['attrs']['realname']][0]
email = attrs[saml_config['sp']['attrs']['email']][0]
user = User.query.filter(User.email == email).first()
if user is None: # The user does not exist in our DB
user = User(name=username,
full_name=realname,
email=email,
hash_password=None,
change_password_url=None)
db_session.add(user)
db_session.commit()
session["user"] = user.to_dict()
session["user"].update({"login_method": "saml"})
self_url = OneLogin_Saml2_Utils.get_self_url(req)
if 'RelayState' in request.form and self_url != request.form[
'RelayState']:
return redirect(auth.redirect_to(request.form['RelayState']))
return seeother("/")
def handle_user_registration_infos(inpt, email, activation_required):
"""
:param inpt: the form containing the username, password confirm-password and email fields
:param activation_required: set to true if the user still has to activate its account as of now
:return: a new user
:raises: UnicodeEncodeError
"""
username = inpt["username"]
password = inpt["password"]
confirm_password = inpt["confirm-password"]
# check the correctness of the input fields
error = False
if password != confirm_password:
set_feedback(session, ErrorFeedback("Your passwords do not match."), feedback_type="login")
error = True
elif len(password) < 6:
set_feedback(session, ErrorFeedback("Your password is too short (< 6 characters)"), feedback_type="login")
error = True
elif re.match(r"^[-_0-9A-Z]{4,}$", username, re.IGNORECASE) is None:
set_feedback(session, ErrorFeedback("the username you entered is invalid (should contain at least 4 "
"characters and only letters from a to z, digits, - and _)"),
feedback_type="login")
error = True
if error:
return None
password_hash = hash_password_func(email=email, password=password,
global_salt=syllabus.get_config().get('password_salt', None),
n_iterations=syllabus.get_config().get('password_hash_iterations', 100000))
return User(username, email, hash_password=password_hash, right=None, activated=not activation_required)
def create_db_user():
from syllabus.models.user import User
change_pwd_bytes = os.urandom(20)
change_pwd_hex = binascii.hexlify(change_pwd_bytes).decode()
u = User('admin', 'admin@localhost', hash_password=None, change_password_url=change_pwd_hex, right='admin')
db_session.add(u)
db_session.commit()
connection = engine.connect()
connection.execute("PRAGMA main.user_version=%d;" % current_version)
def saml():
if "saml" not in syllabus.get_config()['authentication_methods']:
abort(404)
req = prepare_request(request)
req['request_uri'] = request.path # hack to ensure to have the correct path and to avoid RelayState loops
auth = init_saml_auth(req, saml_config)
# if 'sso' in request.args:
# return
if request.method == "GET":
return redirect(auth.login())
elif 'acs' in request.args:
auth.process_response()
errors = auth.get_errors()
if len(errors) == 0:
attrs = auth.get_attributes()
# session['samlNameId'] = auth.get_nameid()
# session['samlSessionIndex'] = auth.get_session_index()
username = attrs[saml_config['sp']['attrs']['username']][0]
realname = attrs[saml_config['sp']['attrs']['realname']][0]
email = attrs[saml_config['sp']['attrs']['email']][0]
user = User.query.filter(User.email == email).first()
if user is None: # The user does not exist in our DB
user = User(name=username,
full_name=realname,
email=email,
hash_password=None,
change_password_url=None)
db_session.add(user)
db_session.commit()
session["user"] = user.to_dict()
session["user"].update({"login_method": "saml"})
self_url = OneLogin_Saml2_Utils.get_self_url(req)
if 'RelayState' in request.form and self_url != request.form[
'RelayState']:
return redirect(auth.redirect_to(request.form['RelayState']))
return seeother("/")