def get_targets(): users = [] user1 = get_user(email="*****@*****.**") if user1: users.append(user1) user2 = get_user(email="*****@*****.**") if user2: users.append(user2) return users
def get_targets(): users = [] user1 = get_user(email='*****@*****.**') if user1: users.append(user1) user2 = get_user(email='*****@*****.**') if user2: users.append(user2) return users
def get_user_from_cas_resp(cas_resp): """ Given a CAS service validation response, attempt to retrieve user information and next action. :param cas_resp: the cas service validation response :return: the user, the external_credential, and the next action """ if cas_resp.user: user = User.load(cas_resp.user) # cas returns a valid OSF user id if user: return user, None, 'authenticate' # cas does not return a valid OSF user id else: external_credential = validate_external_credential(cas_resp.user) # invalid cas response if not external_credential: return None, None, None # cas returns a valid external credential user = get_user( external_id_provider=external_credential['provider'], external_id=external_credential['id']) # existing user found if user: return user, external_credential, 'authenticate' # user first time login through external identity provider else: return None, external_credential, 'external_first_login'
def get_user_from_cas_resp(cas_resp): """ Given a CAS service validation response, attempt to retrieve user information and next action. The `user` in `cas_resp` is the unique GUID of the user. Please do not use the primary key `id` or the email `username`. This holds except for the first step of ORCiD login. :param cas_resp: the cas service validation response :return: the user, the external_credential, and the next action """ from osf.models import OSFUser if cas_resp.user: user = OSFUser.load(cas_resp.user) # cas returns a valid OSF user id if user: return user, None, 'authenticate' # cas does not return a valid OSF user id else: external_credential = validate_external_credential(cas_resp.user) # invalid cas response if not external_credential: return None, None, None # cas returns a valid external credential user = get_user(external_id_provider=external_credential['provider'], external_id=external_credential['id']) # existing user found if user: return user, external_credential, 'authenticate' # user first time login through external identity provider else: return None, external_credential, 'external_first_login'
def register_unconfirmed(username, password, fullname, campaign=None, accepted_terms_of_service=None): from osf.models import OSFUser user = get_user(email=username) if not user: user = OSFUser.create_unconfirmed( username=username, password=password, fullname=fullname, campaign=campaign, accepted_terms_of_service=accepted_terms_of_service) user.save() signals.unconfirmed_user_created.send(user) elif not user.is_registered: # User is in db but not registered user.add_unconfirmed_email(username) user.set_password(password) user.fullname = fullname user.update_guessed_names() user.save() else: raise DuplicateEmailError( 'OSFUser {0!r} already exists'.format(username)) return user
def get_admin_users(admins): """Returns a list of user objects If used in conjunction with MeetingForm it will already have checked for emails that don't match OSF users. """ return [get_user(email=e) for e in admins]
def add_unregistered_member(self, fullname, email, auth, role=MEMBER): """Add unregistered member or manager to OSFGroup :param fullname: string, user fullname :param email: email, user email :param auth: Auth object :param role: string, "member" or "manager", default is member """ OSFUser = apps.get_model('osf.OSFUser') try: validate_email(email) except BlacklistedEmailError: raise ValidationError('Email address domain is blacklisted.') user = get_user(email=email) if user: if user.is_registered or self.is_member(user): raise ValueError('User already exists.') else: user = OSFUser.create_unregistered(fullname=fullname, email=email) user.add_unclaimed_record(self, referrer=auth.user, given_name=fullname, email=email) user.save() if role == MANAGER: self.make_manager(user, auth=auth) else: self.make_member(user, auth=auth) return user
def claim_user_post(node, **kwargs): """View for claiming a user from the X-editable form on a project page. """ reqdata = request.json # Unreg user user = User.load(reqdata['pk']) unclaimed_data = user.get_unclaimed_record(node._primary_key) # Submitted through X-editable if 'value' in reqdata: # Submitted email address email = reqdata['value'].lower().strip() claimer = get_user(email=email) if claimer and claimer.is_registered: send_claim_registered_email(claimer=claimer, unreg_user=user, node=node) else: send_claim_email(email, user, node, notify=True) # TODO(sloria): Too many assumptions about the request data. Just use elif 'claimerId' in reqdata: # User is logged in and confirmed identity claimer_id = reqdata['claimerId'] claimer = User.load(claimer_id) send_claim_registered_email(claimer=claimer, unreg_user=user, node=node) email = claimer.username else: raise HTTPError(http.BAD_REQUEST) return { 'status': 'success', 'email': email, 'fullname': unclaimed_data['name'] }
def deserialize_contributors(node, user_dicts, auth, validate=False): """View helper that returns a list of User objects from a list of serialized users (dicts). The users in the list may be registered or unregistered users. e.g. ``[{'id': 'abc123', 'registered': True, 'fullname': ..}, {'id': None, 'registered': False, 'fullname'...}, {'id': '123ab', 'registered': False, 'fullname': ...}] If a dict represents an unregistered user without an ID, creates a new unregistered User record. :param Node node: The node to add contributors to :param list(dict) user_dicts: List of serialized users in the format above. :param Auth auth: :param bool validate: Whether to validate and sanitize fields (if necessary) """ # Add the registered contributors contribs = [] for contrib_dict in user_dicts: fullname = contrib_dict['fullname'] visible = contrib_dict['visible'] email = contrib_dict.get('email') if validate is True: # Validate and sanitize inputs as needed. Email will raise error if invalid. # TODO Edge case bug: validation and saving are performed in same loop, so all in list # up to the invalid entry will be saved. (communicate to the user what needs to be retried) fullname = sanitize.strip_html(fullname) if not fullname: raise ValidationError('Full name field cannot be empty') if email: validate_email(email) # Will raise a ValidationError if email invalid if contrib_dict['id']: contributor = OSFUser.load(contrib_dict['id']) else: try: contributor = OSFUser.create_unregistered( fullname=fullname, email=email) contributor.save() except ValidationError: ## FIXME: This suppresses an exception if ID not found & new validation fails; get_user will return None contributor = get_user(email=email) # Add unclaimed record if necessary if not contributor.is_registered: contributor.add_unclaimed_record(node, referrer=auth.user, given_name=fullname, email=email) contributor.save() contribs.append({ 'user': contributor, 'visible': visible, 'permissions': expand_permissions(contrib_dict.get('permission')) }) return contribs
def get_user_from_cas_resp(cas_resp): """ Given a CAS service validation response, attempt to retrieve user information and next action. The `user` in `cas_resp` is the unique GUID of the user. Please do not use the primary key `id` or the email `username`. This holds except for the first step of ORCiD login. :param cas_resp: the cas service validation response :return: the user, the external_credential, and the next action """ from osf.models import OSFUser if cas_resp.user: user = OSFUser.load(cas_resp.user) # cas returns a valid OSF user id if user: return user, None, 'authenticate' # cas does not return a valid OSF user id else: external_credential = validate_external_credential(cas_resp.user) # invalid cas response if not external_credential: return None, None, None # cas returns a valid external credential user = get_user( external_id_provider=external_credential['provider'], external_id=external_credential['id']) # existing user found if user: return user, external_credential, 'authenticate' # user first time login through external identity provider else: return None, external_credential, 'external_first_login'
def before_request(): # TODO: Fix circular import from framework.auth.core import get_user from framework.auth import cas from website.util import time as util_time # Central Authentication Server Ticket Validation and Authentication ticket = request.args.get('ticket') if ticket: service_url = furl.furl(request.url) service_url.args.pop('ticket') # Attempt to authenticate wih CAS, and return a proper redirect response return cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url) if request.authorization: user = get_user(email=request.authorization.username, password=request.authorization.password) # Create an empty session # TODO: Shoudn't need to create a session for Basic Auth user_session = Session() set_session(user_session) if user: user_addon = user.get_addon('twofactor') if user_addon and user_addon.is_confirmed: otp = request.headers.get('X-OSF-OTP') if otp is None or not user_addon.verify_code(otp): # Must specify two-factor authentication OTP code or invalid two-factor authentication OTP code. user_session.data['auth_error_code'] = http.UNAUTHORIZED return user_session.data['auth_user_username'] = user.username user_session.data['auth_user_id'] = user._primary_key user_session.data['auth_user_fullname'] = user.fullname else: # Invalid key: Not found in database user_session.data['auth_error_code'] = http.UNAUTHORIZED return cookie = request.cookies.get(settings.COOKIE_NAME) if cookie: try: session_id = itsdangerous.Signer( settings.SECRET_KEY).unsign(cookie) user_session = Session.load(session_id) or Session(_id=session_id) except itsdangerous.BadData: return if not util_time.throttle_period_expired(user_session.date_created, settings.OSF_SESSION_TIMEOUT): if user_session.data.get( 'auth_user_id') and 'api' not in request.url: database['user'].update( {'_id': user_session.data.get('auth_user_id')}, {'$set': { 'date_last_login': datetime.utcnow() }}, w=0) set_session(user_session) else: remove_session(user_session)
def claim_user_post(node, **kwargs): """ View for claiming a user from the X-editable form on a project page. :param node: the project node :return: """ request_data = request.json # The unclaimed user unclaimed_user = User.load(request_data["pk"]) unclaimed_data = unclaimed_user.get_unclaimed_record(node._primary_key) # Claimer is not logged in and submit her/his email through X-editable, stored in `request_data['value']` if "value" in request_data: email = request_data["value"].lower().strip() claimer = get_user(email=email) # registered user if claimer and claimer.is_registered: send_claim_registered_email(claimer, unclaimed_user, node) # unregistered user else: send_claim_email(email, unclaimed_user, node, notify=True) # Claimer is logged in with confirmed identity stored in `request_data['claimerId']` elif "claimerId" in request_data: claimer_id = request_data["claimerId"] claimer = User.load(claimer_id) send_claim_registered_email(claimer, unclaimed_user, node) email = claimer.username else: raise HTTPError(http.BAD_REQUEST) return {"status": "success", "email": email, "fullname": unclaimed_data["name"]}
def get_user_from_cas_resp(cas_resp): """ Given a CAS service validation response, attempt to retrieve user information and next action. :param cas_resp: the cas service validation response :return: the user, the external_credential, and the next action """ if cas_resp.user: user = User.load(cas_resp.user) # cas returns a valid OSF user id if user: return user, None, 'authenticate' # cas does not return a valid OSF user id else: external_credential = validate_external_credential(cas_resp.user) # invalid cas response if not external_credential: return None, None, None # cas returns a valid external credential user = get_user(external_id_provider=external_credential['provider'], external_id=external_credential['id']) # existing user found if user: return user, external_credential, 'authenticate' # user first time login through external identity provider else: return None, external_credential, 'external_first_login'
def before_request(): from framework.auth import cas # Central Authentication Server Ticket Validation and Authentication ticket = request.args.get('ticket') if ticket: service_url = furl.furl(request.url) service_url.args.pop('ticket') # Attempt autn wih CAS, and return a proper redirect response resp = cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url) if request.cookies.get(settings.COOKIE_NAME): # TODO: Delete legacy cookie, this special case can be removed anytime after 1/1/2016. # A cookie is received which could potentially be a legacy (pre multi-domain) cookie. # Issuing a targeted delete of the legacy cookie ensures the user does not end up in a # login loop whereby both cookies are sent to the server and one of them at random # read for authentication. resp.delete_cookie(settings.COOKIE_NAME, domain=None) return resp if request.authorization: # TODO: Fix circular import from framework.auth.core import get_user user = get_user( email=request.authorization.username, password=request.authorization.password ) # Create empty session # TODO: Shoudn't need to create a session for Basic Auth session = Session() set_session(session) if user: user_addon = user.get_addon('twofactor') if user_addon and user_addon.is_confirmed: otp = request.headers.get('X-OSF-OTP') if otp is None or not user_addon.verify_code(otp): # Must specify two-factor authentication OTP code or invalid two-factor # authentication OTP code. session.data['auth_error_code'] = http.UNAUTHORIZED return session.data['auth_user_username'] = user.username session.data['auth_user_id'] = user._primary_key session.data['auth_user_fullname'] = user.fullname else: # Invalid key: Not found in database session.data['auth_error_code'] = http.UNAUTHORIZED return cookie = request.cookies.get(settings.COOKIE_NAME) if cookie: try: session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie) session = Session.load(session_id) or Session(_id=session_id) except itsdangerous.BadData: return if session.data.get('auth_user_id') and 'api' not in request.url: database['user'].update({'_id': session.data.get('auth_user_id')}, {'$set': {'date_last_login': datetime.utcnow()}}, w=0) set_session(session)
def before_request(): from framework.auth import authenticate from framework.auth.core import User from framework.auth import cas # Central Authentication Server Ticket Validation and Authentication ticket = request.args.get('ticket') if ticket: service_url = furl.furl(request.url) service_url.args.pop('ticket') # Attempt autn wih CAS, and return a proper redirect response return cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url) # Central Authentication Server OAuth Bearer Token authorization = request.headers.get('Authorization') if authorization and authorization.startswith('Bearer '): client = cas.get_client() try: access_token = cas.parse_auth_header(authorization) except cas.CasTokenError as err: # NOTE: We assume that the request is an AJAX request return jsonify({'message_short': 'Invalid Bearer token', 'message_long': err.args[0]}), http.UNAUTHORIZED cas_resp = client.profile(access_token) if cas_resp.authenticated: user = User.load(cas_resp.user) return authenticate(user, access_token=access_token, response=None) return make_response('', http.UNAUTHORIZED) if request.authorization: # TODO: Fix circular import from framework.auth.core import get_user user = get_user( email=request.authorization.username, password=request.authorization.password ) # Create empty session # TODO: Shoudn't need to create a session for Basic Auth session = Session() if user: session.data['auth_user_username'] = user.username session.data['auth_user_id'] = user._primary_key session.data['auth_user_fullname'] = user.fullname else: # Invalid key: Not found in database session.data['auth_error_code'] = http.FORBIDDEN set_session(session) return cookie = request.cookies.get(settings.COOKIE_NAME) if cookie: try: session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie) session = Session.load(session_id) or Session(_id=session_id) set_session(session) return except: pass
def post(self, request, *args, **kwargs): claimer = request.user email = (request.data.get('email', None) or '').lower().strip() record_id = (request.data.get('id', None) or '').lower().strip() if not record_id: raise ValidationError('Must specify record "id".') claimed_user = self.get_user( check_permissions=True) # Ensures claimability if claimed_user.is_disabled: raise ValidationError('Cannot claim disabled account.') try: record_referent = Guid.objects.get(_id=record_id).referent except Guid.DoesNotExist: raise NotFound('Unable to find specified record.') try: unclaimed_record = claimed_user.unclaimed_records[ record_referent._id] except KeyError: if isinstance( record_referent, Preprint ) and record_referent.node and record_referent.node._id in claimed_user.unclaimed_records: record_referent = record_referent.node unclaimed_record = claimed_user.unclaimed_records[ record_referent._id] else: raise NotFound('Unable to find specified record.') if claimer.is_anonymous and email: claimer = get_user(email=email) try: if claimer and claimer.is_registered: self._send_claim_email(claimer, claimed_user, record_referent, registered=True) else: self._send_claim_email(email, claimed_user, record_referent, notify=True, registered=False) except HTTPError as e: raise ValidationError(e.data['message_long']) elif isinstance(claimer, OSFUser): if unclaimed_record.get('referrer_id', '') == claimer._id: raise ValidationError('Referrer cannot claim user.') try: self._send_claim_email(claimer, claimed_user, record_referent, registered=True) except HTTPError as e: raise ValidationError(e.data['message_long']) else: raise ValidationError( 'Must either be logged in or specify claim email.') return Response(status=status.HTTP_204_NO_CONTENT)
def clean_admins(self): emails = self.cleaned_data['admins'] for email in emails: user = get_user(email=email) if not user or user is None: raise forms.ValidationError( '{} does not have an OSF account'.format(email)) return emails
def clean_admins(self): emails = self.cleaned_data['admins'] for email in emails: user = get_user(email=email) if not user or user is None: raise forms.ValidationError( '{} does not have an OSF account'.format(email) ) return emails
def before_request(): from framework.auth import cas from website.util import time as util_time # Central Authentication Server Ticket Validation and Authentication ticket = request.args.get('ticket') if ticket: service_url = furl.furl(request.url) service_url.args.pop('ticket') # Attempt autn wih CAS, and return a proper redirect response return cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url) if request.authorization: # TODO: Fix circular import from framework.auth.core import get_user user = get_user( email=request.authorization.username, password=request.authorization.password ) # Create empty session # TODO: Shoudn't need to create a session for Basic Auth session = Session() set_session(session) if user: user_addon = user.get_addon('twofactor') if user_addon and user_addon.is_confirmed: otp = request.headers.get('X-OSF-OTP') if otp is None or not user_addon.verify_code(otp): # Must specify two-factor authentication OTP code or invalid two-factor # authentication OTP code. session.data['auth_error_code'] = http.UNAUTHORIZED return session.data['auth_user_username'] = user.username session.data['auth_user_id'] = user._primary_key session.data['auth_user_fullname'] = user.fullname else: # Invalid key: Not found in database session.data['auth_error_code'] = http.UNAUTHORIZED return cookie = request.cookies.get(settings.COOKIE_NAME) if cookie: try: session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie) session = Session.load(session_id) or Session(_id=session_id) except itsdangerous.BadData: return if not util_time.throttle_period_expired(session.date_created, settings.OSF_SESSION_TIMEOUT): if session.data.get('auth_user_id') and 'api' not in request.url: database['user'].update({'_id': session.data.get('auth_user_id')}, {'$set': {'date_last_login': datetime.utcnow()}}, w=0) set_session(session) else: remove_session(session)
def authenticate_credentials(self, userid, password): """ Authenticate the userid and password against username and password. """ user = get_user(email=userid, password=password) if userid and user is None: raise exceptions.AuthenticationFailed(_('Invalid username/password.')) elif userid is None and password is None: raise exceptions.NotAuthenticated() return (user, None)
def before_request(): from framework.auth import cas # Central Authentication Server Ticket Validation and Authentication ticket = request.args.get('ticket') if ticket: service_url = furl.furl(request.url) service_url.args.pop('ticket') # Attempt autn wih CAS, and return a proper redirect response resp = cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url) if request.cookies.get(settings.COOKIE_NAME): # TODO: Delete legacy cookie, this special case can be removed anytime after 1/1/2016. # A cookie is received which could potentially be a legacy (pre multi-domain) cookie. # Issuing a targeted delete of the legacy cookie ensures the user does not end up in a # login loop whereby both cookies are sent to the server and one of them at random # read for authentication. resp.delete_cookie(settings.COOKIE_NAME, domain=None) return resp if request.authorization: # TODO: Fix circular import from framework.auth.core import get_user user = get_user( email=request.authorization.username, password=request.authorization.password ) # Create empty session # TODO: Shoudn't need to create a session for Basic Auth session = Session() if user: session.data['auth_user_username'] = user.username session.data['auth_user_id'] = user._primary_key session.data['auth_user_fullname'] = user.fullname user.date_last_login = datetime.utcnow() user.save() else: # Invalid key: Not found in database session.data['auth_error_code'] = http.FORBIDDEN set_session(session) return cookie = request.cookies.get(settings.COOKIE_NAME) if cookie: try: session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie) session = Session.load(session_id) or Session(_id=session_id) except itsdangerous.BadData: return if session.data.get('auth_user_id'): database['user'].update({'_id': session.data.get('auth_user_id')}, {'$set': {'date_last_login': datetime.utcnow()}}, w=0) set_session(session)
def before_request(): from framework.auth import cas # Central Authentication Server Ticket Validation and Authentication ticket = request.args.get('ticket') if ticket: service_url = furl.furl(request.url) service_url.args.pop('ticket') # Attempt autn wih CAS, and return a proper redirect response resp = cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url) if request.cookies.get(settings.COOKIE_NAME): # TODO: Delete legacy cookie, this special case can be removed anytime after 1/1/2016. # A cookie is received which could potentially be a legacy (pre multi-domain) cookie. # Issuing a targeted delete of the legacy cookie ensures the user does not end up in a # login loop whereby both cookies are sent to the server and one of them at random # read for authentication. resp.delete_cookie(settings.COOKIE_NAME, domain=None) return resp if request.authorization: # TODO: Fix circular import from framework.auth.core import get_user user = get_user( email=request.authorization.username, password=request.authorization.password ) # Create empty session # TODO: Shoudn't need to create a session for Basic Auth session = Session() if user: session.data['auth_user_username'] = user.username session.data['auth_user_id'] = user._primary_key session.data['auth_user_fullname'] = user.fullname else: # Invalid key: Not found in database session.data['auth_error_code'] = http.FORBIDDEN set_session(session) return cookie = request.cookies.get(settings.COOKIE_NAME) if cookie: try: session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie) session = Session.load(session_id) or Session(_id=session_id) set_session(session) return except: pass
def get_or_create_user(fullname, address, is_spam=False): """Get or create user by email address. :param str fullname: User full name :param str address: User email address :param bool is_spam: User flagged as potential spam :return: Tuple of (user, created) """ user = get_user(email=address) if user: return user, False else: password = str(uuid.uuid4()) user = User.create_confirmed(address, password, fullname) user.verification_key = generate_verification_key() if is_spam: user.system_tags.append('is_spam') return user, True
def post(self, request, *args, **kwargs): claimer = request.user email = (request.data.get('email', None) or '').lower().strip() record_id = (request.data.get('id', None) or '').lower().strip() if not record_id: raise ValidationError('Must specify record "id".') claimed_user = self.get_user(check_permissions=True) # Ensures claimability if claimed_user.is_disabled: raise ValidationError('Cannot claim disabled account.') try: record_referent = Guid.objects.get(_id=record_id).referent except Guid.DoesNotExist: raise NotFound('Unable to find specified record.') try: unclaimed_record = claimed_user.unclaimed_records[record_referent._id] except KeyError: if isinstance(record_referent, Preprint) and record_referent.node and record_referent.node._id in claimed_user.unclaimed_records: record_referent = record_referent.node unclaimed_record = claimed_user.unclaimed_records[record_referent._id] else: raise NotFound('Unable to find specified record.') if claimer.is_anonymous and email: claimer = get_user(email=email) try: if claimer and claimer.is_registered: self._send_claim_email(claimer, claimed_user, record_referent, registered=True) else: self._send_claim_email(email, claimed_user, record_referent, notify=True, registered=False) except HTTPError as e: raise ValidationError(e.data['message_long']) elif isinstance(claimer, OSFUser): if unclaimed_record.get('referrer_id', '') == claimer._id: raise ValidationError('Referrer cannot claim user.') try: self._send_claim_email(claimer, claimed_user, record_referent, registered=True) except HTTPError as e: raise ValidationError(e.data['message_long']) else: raise ValidationError('Must either be logged in or specify claim email.') return Response(status=status.HTTP_204_NO_CONTENT)
def before_request(): from framework.auth import cas # Central Authentication Server Ticket Validation and Authentication ticket = request.args.get('ticket') if ticket: service_url = furl.furl(request.url) service_url.args.pop('ticket') # Attempt autn wih CAS, and return a proper redirect response return cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url) if request.authorization: # TODO: Fix circular import from framework.auth.core import get_user user = get_user( email=request.authorization.username, password=request.authorization.password ) # Create empty session # TODO: Shoudn't need to create a session for Basic Auth session = Session() if user: session.data['auth_user_username'] = user.username session.data['auth_user_id'] = user._primary_key session.data['auth_user_fullname'] = user.fullname else: # Invalid key: Not found in database session.data['auth_error_code'] = http.FORBIDDEN set_session(session) return cookie = request.cookies.get(settings.COOKIE_NAME) if cookie: try: session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie) session = Session.load(session_id) or Session(_id=session_id) set_session(session) return except: pass
def before_request(): from framework.auth import cas # Central Authentication Server Ticket Validation and Authentication ticket = request.args.get('ticket') if ticket: service_url = furl.furl(request.url) service_url.args.pop('ticket') # Attempt autn wih CAS, and return a proper redirect response return cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url) if request.authorization: # TODO: Fix circular import from framework.auth.core import get_user user = get_user(email=request.authorization.username, password=request.authorization.password) # Create empty session # TODO: Shoudn't need to create a session for Basic Auth session = Session() if user: session.data['auth_user_username'] = user.username session.data['auth_user_id'] = user._primary_key session.data['auth_user_fullname'] = user.fullname else: # Invalid key: Not found in database session.data['auth_error_code'] = http.FORBIDDEN set_session(session) return cookie = request.cookies.get(settings.COOKIE_NAME) if cookie: try: session_id = itsdangerous.Signer( settings.SECRET_KEY).unsign(cookie) session = Session.load(session_id) or Session(_id=session_id) set_session(session) return except: pass
def invite_contributor_post(node, **kwargs): """API view for inviting an unregistered user. Performs validation, but does not actually invite the user. Expects JSON arguments with 'fullname' (required) and email (not required). """ fullname = request.json.get('fullname').strip() email = request.json.get('email') # Validate and sanitize inputs as needed. Email will raise error if invalid. fullname = sanitize.strip_html(fullname) if email: email = email.lower().strip() try: validate_email(email) except ValidationError as e: return {'status': 400, 'message': e.message}, 400 if not fullname: return { 'status': 400, 'message': 'Full name field cannot be empty' }, 400 # Check if email is in the database user = get_user(email=email) if user: if user.is_registered: msg = 'User is already in database. Please go back and try your search again.' return {'status': 400, 'message': msg}, 400 elif node.is_contributor(user): msg = 'User with this email address is already a contributor to this project.' return {'status': 400, 'message': msg}, 400 elif not user.is_confirmed: serialized = profile_utils.serialize_unregistered(fullname, email) else: serialized = profile_utils.add_contributor_json(user) # use correct display name serialized['fullname'] = fullname serialized['email'] = email else: # Create a placeholder serialized = profile_utils.serialize_unregistered(fullname, email) return {'status': 'success', 'contributor': serialized}
def authenticate_credentials(self, userid, password): """ Authenticate the user by userid (email) and password. :param userid: the username or email :param password: the password :return: the User :raises: NotAuthenticated :raises: AuthenticationFailed """ user = get_user(email=userid, password=password) if userid and not user: raise exceptions.AuthenticationFailed(_('Invalid username/password.')) elif userid is None and password is None: raise exceptions.NotAuthenticated() check_user(user) return user, None
def authenticate_credentials(self, userid, password, request=None): """ Authenticate the user by userid (email) and password. :param userid: the username or email :param password: the password :return: the User :raises: NotAuthenticated :raises: AuthenticationFailed """ user = get_user(email=userid, password=password) if userid and not user: raise exceptions.AuthenticationFailed(_('Invalid username/password.')) elif userid is None and password is None: raise exceptions.NotAuthenticated() check_user(user) return user, None
def get_or_create_user(fullname, address, is_spam): """Get or create user by email address. :param str fullname: User full name :param str address: User email address :param bool is_spam: User flagged as potential spam :return: Tuple of (user, created) """ user = get_user(email=address) if user: return user, False else: password = str(uuid.uuid4()) user = User.create_confirmed(address, password, fullname) user.verification_key = security.random_string(20) if is_spam: user.system_tags.append('is_spam') user.save() signals.user_confirmed.send(user) return user, True
def get_or_create_user(fullname, address, is_spam): """Get or create user by email address. :param str fullname: User full name :param str address: User email address :param bool is_spam: User flagged as potential spam :return: Tuple of (user, created) """ user = get_user(email=address) if user: return user, False else: password = str(uuid.uuid4()) user = User.create_confirmed(address, password, fullname) user.verification_key = security.random_string(20) if is_spam: user.system_tags.append('is_spam') # user.save() # signals.user_confirmed.send(user) return user, True
def get_or_create_user(fullname, address, reset_password=True, is_spam=False): """ Get or create user by fullname and email address. :param str fullname: user full name :param str address: user email address :param boolean reset_password: ask user to reset their password :param bool is_spam: user flagged as potential spam :return: tuple of (user, created) """ user = get_user(email=address) if user: return user, False else: password = str(uuid.uuid4()) user = User.create_confirmed(address, password, fullname) if password: user.verification_key_v2 = generate_verification_key(verification_type='password') if is_spam: user.system_tags.append('is_spam') return user, True
def register_unconfirmed(username, password, fullname, campaign=None): user = get_user(email=username) if not user: user = User.create_unconfirmed( username=username, password=password, fullname=fullname, campaign=campaign, ) user.save() signals.unconfirmed_user_created.send(user) elif not user.is_registered: # User is in db but not registered user.add_unconfirmed_email(username) user.set_password(password) user.fullname = fullname user.update_guessed_names() user.save() else: raise DuplicateEmailError('User {0!r} already exists'.format(username)) return user
def get_or_create_user(fullname, address, reset_password=True, is_spam=False): """ Get or create user by fullname and email address. :param str fullname: user full name :param str address: user email address :param boolean reset_password: ask user to reset their password :param bool is_spam: user flagged as potential spam :return: tuple of (user, created) """ user = get_user(email=address) if user: return user, False else: password = str(uuid.uuid4()) user = User.create_confirmed(address, password, fullname) if password: user.verification_key_v2 = generate_verification_key( verification_type='password') if is_spam: user.system_tags.append('is_spam') return user, True
def invite_contributor_post(node, **kwargs): """API view for inviting an unregistered user. Performs validation, but does not actually invite the user. Expects JSON arguments with 'fullname' (required) and email (not required). """ fullname = request.json.get('fullname').strip() email = request.json.get('email') # Validate and sanitize inputs as needed. Email will raise error if invalid. fullname = sanitize.strip_html(fullname) if email: email = email.lower().strip() try: validate_email(email) except ValidationError as e: return {'status': 400, 'message': e.message}, 400 if not fullname: return {'status': 400, 'message': 'Full name field cannot be empty'}, 400 # Check if email is in the database user = get_user(email=email) if user: if user.is_registered: msg = 'User is already in database. Please go back and try your search again.' return {'status': 400, 'message': msg}, 400 elif node.is_contributor(user): msg = 'User with this email address is already a contributor to this project.' return {'status': 400, 'message': msg}, 400 elif not user.is_confirmed: serialized = profile_utils.serialize_unregistered(fullname, email) else: serialized = profile_utils.add_contributor_json(user) # use correct display name serialized['fullname'] = fullname serialized['email'] = email else: # Create a placeholder serialized = profile_utils.serialize_unregistered(fullname, email) return {'status': 'success', 'contributor': serialized}
def claim_user_post(node, **kwargs): """ View for claiming a user from the X-editable form on a project page. :param node: the project node :return: """ request_data = request.json # The unclaimed user unclaimed_user = OSFUser.load(request_data['pk']) unclaimed_data = unclaimed_user.get_unclaimed_record(node._primary_key) # Claimer is not logged in and submit her/his email through X-editable, stored in `request_data['value']` if 'value' in request_data: email = request_data['value'].lower().strip() claimer = get_user(email=email) # registered user if claimer and claimer.is_registered: send_claim_registered_email(claimer, unclaimed_user, node) # unregistered user else: send_claim_email(email, unclaimed_user, node, notify=True) # Claimer is logged in with confirmed identity stored in `request_data['claimerId']` elif 'claimerId' in request_data: claimer_id = request_data['claimerId'] claimer = OSFUser.load(claimer_id) send_claim_registered_email(claimer, unclaimed_user, node) email = claimer.username else: raise HTTPError(http_status.HTTP_400_BAD_REQUEST) return { 'status': 'success', 'email': email, 'fullname': unclaimed_data['name'] }
def get_or_create_user(fullname, address, reset_password=True, is_spam=False): """ Get or create user by fullname and email address. :param str fullname: user full name :param str address: user email address :param boolean reset_password: ask user to reset their password :param bool is_spam: user flagged as potential spam :return: tuple of (user, created) """ from osf.models import OSFUser user = get_user(email=address) if user: return user, False else: password = str(uuid.uuid4()) user = OSFUser.create_confirmed(address, password, fullname) if reset_password: user.verification_key_v2 = generate_verification_key(verification_type='password') if is_spam: user.save() # need to save in order to add a tag user.add_system_tag('is_spam') return user, True
def authenticate(self, username=None, password=None): return get_user(email=username, password=password) or None
def before_request(): # TODO: Fix circular import from framework.auth.core import get_user from framework.auth import cas from framework.utils import throttle_period_expired Session = apps.get_model('osf.Session') # Central Authentication Server Ticket Validation and Authentication ticket = request.args.get('ticket') if ticket: service_url = furl.furl(request.url) service_url.args.pop('ticket') # Attempt to authenticate wih CAS, and return a proper redirect response return cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url) if request.authorization: user = get_user(email=request.authorization.username, password=request.authorization.password) # Create an empty session # TODO: Shoudn't need to create a session for Basic Auth user_session = Session() set_session(user_session) if user: user_addon = user.get_addon('twofactor') if user_addon and user_addon.is_confirmed: otp = request.headers.get('X-OSF-OTP') if otp is None or not user_addon.verify_code(otp): # Must specify two-factor authentication OTP code or invalid two-factor authentication OTP code. user_session.data[ 'auth_error_code'] = http_status.HTTP_401_UNAUTHORIZED return user_session.data['auth_user_username'] = user.username user_session.data['auth_user_fullname'] = user.fullname if user_session.data.get('auth_user_id', None) != user._primary_key: user_session.data['auth_user_id'] = user._primary_key user_session.save() else: # Invalid key: Not found in database user_session.data[ 'auth_error_code'] = http_status.HTTP_401_UNAUTHORIZED return cookie = request.cookies.get(settings.COOKIE_NAME) if cookie: try: session_id = itsdangerous.Signer( settings.SECRET_KEY).unsign(cookie) user_session = Session.load(session_id) or Session(_id=session_id) except itsdangerous.BadData: return if not throttle_period_expired(user_session.created, settings.OSF_SESSION_TIMEOUT): # Update date last login when making non-api requests if user_session.data.get( 'auth_user_id') and 'api' not in request.url: OSFUser = apps.get_model('osf.OSFUser') (OSFUser.objects.filter( guids___id__isnull=False, guids___id=user_session.data['auth_user_id']) # Throttle updates .filter( Q(date_last_login__isnull=True) | Q(date_last_login__lt=timezone.now() - dt.timedelta( seconds=settings.DATE_LAST_LOGIN_THROTTLE)))).update( date_last_login=timezone.now()) set_session(user_session) else: remove_session(user_session)
def dispatch(self, request, *args, **kwargs): eppn = request.environ['HTTP_AUTH_EPPN'] seps = eppn.split(SHIB_EPPN_SCOPING_SEPARATOR)[-1] institution = Institution.objects.filter( domains__contains=[str(seps)]).first() if not institution: return redirect('auth:login') if not eppn: message = 'login failed: permission denied.' logging.info(message) messages.error(self.request, message) return redirect('auth:login') eppn_user = get_user(eppn=eppn) if eppn_user: try: others = eppn_user.affiliated_institutions.exclude( id=institution.id).get() except Institution.DoesNotExist: pass else: eppn_user.affiliated_institutions.remove(others) eppn_user.affiliated_institutions.add(institution) if 'GakuninRDMAdmin' in request.environ['HTTP_AUTH_ENTITLEMENT']: # login success # code is below this if/else tree eppn_user.is_staff = True eppn_user.save() else: # login failure occurs and the screen transits to the error screen # not sure about this code eppn_user.is_staff = False eppn_user.save() message = 'login failed: permission denied.' logging.info(message) messages.error(self.request, message) return redirect('auth:login') else: if 'GakuninRDMAdmin' not in request.environ[ 'HTTP_AUTH_ENTITLEMENT']: message = 'login failed: no user with matching eppn' messages.error(self.request, message) return redirect('auth:login') else: new_user, created = get_or_create_user( request.environ['HTTP_AUTH_DISPLAYNAME'] or 'NO NAME', eppn, reset_password=False) USE_EPPN = login_by_eppn() if USE_EPPN: new_user.eppn = eppn new_user.have_email = False else: new_user.eppn = None new_user.have_email = True new_user.is_staff = True new_user.eppn = eppn new_user.have_email = False new_user.save() new_user.affiliated_institutions.add(institution) eppn_user = new_user guid = Guid.objects.get( object_id=eppn_user.id, content_type_id=ContentType.objects.get_for_model(OSFUser).id) if not userkey_generation_check(guid._id): userkey_generation(guid._id) login(request, eppn_user, backend='api.base.authentication.backends.ODMBackend') # Transit to the administrator's home screen return redirect(self.get_success_url())
def before_request(): # TODO: Fix circular import from framework.auth.core import get_user from framework.auth import cas from website.util import time as util_time Session = apps.get_model('osf.Session') # Central Authentication Server Ticket Validation and Authentication ticket = request.args.get('ticket') if ticket: service_url = furl.furl(request.url) service_url.args.pop('ticket') # Attempt to authenticate wih CAS, and return a proper redirect response return cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url) if request.authorization: user = get_user( email=request.authorization.username, password=request.authorization.password ) # Create an empty session # TODO: Shoudn't need to create a session for Basic Auth user_session = Session() set_session(user_session) if user: user_addon = user.get_addon('twofactor') if user_addon and user_addon.is_confirmed: otp = request.headers.get('X-OSF-OTP') if otp is None or not user_addon.verify_code(otp): # Must specify two-factor authentication OTP code or invalid two-factor authentication OTP code. user_session.data['auth_error_code'] = http.UNAUTHORIZED return user_session.data['auth_user_username'] = user.username user_session.data['auth_user_fullname'] = user.fullname if user_session.data.get('auth_user_id', None) != user._primary_key: user_session.data['auth_user_id'] = user._primary_key user_session.save() else: # Invalid key: Not found in database user_session.data['auth_error_code'] = http.UNAUTHORIZED return cookie = request.cookies.get(settings.COOKIE_NAME) if cookie: try: session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie) user_session = Session.load(session_id) or Session(_id=session_id) except itsdangerous.BadData: return if not util_time.throttle_period_expired(user_session.created, settings.OSF_SESSION_TIMEOUT): # Update date last login when making non-api requests if user_session.data.get('auth_user_id') and 'api' not in request.url: OSFUser = apps.get_model('osf.OSFUser') ( OSFUser.objects .filter(guids___id__isnull=False, guids___id=user_session.data['auth_user_id']) # Throttle updates .filter(Q(date_last_login__isnull=True) | Q(date_last_login__lt=timezone.now() - dt.timedelta(seconds=settings.DATE_LAST_LOGIN_THROTTLE))) ).update(date_last_login=timezone.now()) set_session(user_session) else: remove_session(user_session)
def before_request(): from framework import sentry from framework.auth import cas from framework.auth.core import User from framework.auth import authenticate from framework.routing import json_renderer # Central Authentication Server Ticket Validation and Authentication ticket = request.args.get('ticket') if ticket: service_url = furl.furl(request.url) service_url.args.pop('ticket') # Attempt autn wih CAS, and return a proper redirect response return cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url) # Central Authentication Server OAuth Bearer Token authorization = request.headers.get('Authorization') if authorization and authorization.startswith('Bearer '): client = cas.get_client() try: access_token = cas.parse_auth_header(authorization) cas_resp = client.profile(access_token) except cas.CasError as err: sentry.log_exception() # NOTE: We assume that the request is an AJAX request return json_renderer(err) if cas_resp.authenticated: user = User.load(cas_resp.user) return authenticate(user, access_token=access_token, response=None) return make_response('', http.UNAUTHORIZED) if request.authorization: # TODO: Fix circular import from framework.auth.core import get_user user = get_user(email=request.authorization.username, password=request.authorization.password) # Create empty session # TODO: Shoudn't need to create a session for Basic Auth session = Session() if user: session.data['auth_user_username'] = user.username session.data['auth_user_id'] = user._primary_key session.data['auth_user_fullname'] = user.fullname else: # Invalid key: Not found in database session.data['auth_error_code'] = http.FORBIDDEN set_session(session) return cookie = request.cookies.get(settings.COOKIE_NAME) if cookie: try: session_id = itsdangerous.Signer( settings.SECRET_KEY).unsign(cookie) session = Session.load(session_id) or Session(_id=session_id) set_session(session) return except: pass
def test_get_user_with_wrong_password_returns_false(self): user = UserFactory.build() user.set_password('killerqueen') assert bool( get_user(email=user.username, password='******') ) is False
def test_get_user_by_email(self): user = UserFactory() assert get_user(email=user.username) == user assert get_user(email=user.username.upper()) == user
def test_get_user_with_wrong_password_returns_false(self): user = UserFactory.build() user.set_password('killerqueen') assert bool(get_user(email=user.username, password='******')) is False