def get_targets():
    users = []
    user1 = get_user(email="*****@*****.**")
    if user1:
        users.append(user1)
    user2 = get_user(email="*****@*****.**")
    if user2:
        users.append(user2)
    return users
Exemple #2
0
def get_targets():
    users = []
    user1 = get_user(email='*****@*****.**')
    if user1:
        users.append(user1)
    user2 = get_user(email='*****@*****.**')
    if user2:
        users.append(user2)
    return users
Exemple #3
0
def get_user_from_cas_resp(cas_resp):
    """
    Given a CAS service validation response, attempt to retrieve user information and next action.

    :param cas_resp: the cas service validation response
    :return: the user, the external_credential, and the next action
    """

    if cas_resp.user:
        user = User.load(cas_resp.user)
        # cas returns a valid OSF user id
        if user:
            return user, None, 'authenticate'
        # cas does not return a valid OSF user id
        else:
            external_credential = validate_external_credential(cas_resp.user)
            # invalid cas response
            if not external_credential:
                return None, None, None
            # cas returns a valid external credential
            user = get_user(
                external_id_provider=external_credential['provider'],
                external_id=external_credential['id'])
            # existing user found
            if user:
                return user, external_credential, 'authenticate'
            # user first time login through external identity provider
            else:
                return None, external_credential, 'external_first_login'
Exemple #4
0
def get_user_from_cas_resp(cas_resp):
    """
    Given a CAS service validation response, attempt to retrieve user information and next action.
    The `user` in `cas_resp` is the unique GUID of the user. Please do not use the primary key `id`
    or the email `username`. This holds except for the first step of ORCiD login.

    :param cas_resp: the cas service validation response
    :return: the user, the external_credential, and the next action
    """
    from osf.models import OSFUser
    if cas_resp.user:
        user = OSFUser.load(cas_resp.user)
        # cas returns a valid OSF user id
        if user:
            return user, None, 'authenticate'
        # cas does not return a valid OSF user id
        else:
            external_credential = validate_external_credential(cas_resp.user)
            # invalid cas response
            if not external_credential:
                return None, None, None
            # cas returns a valid external credential
            user = get_user(external_id_provider=external_credential['provider'],
                            external_id=external_credential['id'])
            # existing user found
            if user:
                return user, external_credential, 'authenticate'
            # user first time login through external identity provider
            else:
                return None, external_credential, 'external_first_login'
Exemple #5
0
def register_unconfirmed(username,
                         password,
                         fullname,
                         campaign=None,
                         accepted_terms_of_service=None):
    from osf.models import OSFUser
    user = get_user(email=username)
    if not user:
        user = OSFUser.create_unconfirmed(
            username=username,
            password=password,
            fullname=fullname,
            campaign=campaign,
            accepted_terms_of_service=accepted_terms_of_service)
        user.save()
        signals.unconfirmed_user_created.send(user)

    elif not user.is_registered:  # User is in db but not registered
        user.add_unconfirmed_email(username)
        user.set_password(password)
        user.fullname = fullname
        user.update_guessed_names()
        user.save()
    else:
        raise DuplicateEmailError(
            'OSFUser {0!r} already exists'.format(username))
    return user
Exemple #6
0
def get_admin_users(admins):
    """Returns a list of user objects

    If used in conjunction with MeetingForm it will already have checked for
    emails that don't match OSF users.
    """
    return [get_user(email=e) for e in admins]
    def add_unregistered_member(self, fullname, email, auth, role=MEMBER):
        """Add unregistered member or manager to OSFGroup

        :param fullname: string, user fullname
        :param email: email, user email
        :param auth: Auth object
        :param role: string, "member" or "manager", default is member
        """
        OSFUser = apps.get_model('osf.OSFUser')

        try:
            validate_email(email)
        except BlacklistedEmailError:
            raise ValidationError('Email address domain is blacklisted.')

        user = get_user(email=email)
        if user:
            if user.is_registered or self.is_member(user):
                raise ValueError('User already exists.')
        else:
            user = OSFUser.create_unregistered(fullname=fullname, email=email)
        user.add_unclaimed_record(self,
                                  referrer=auth.user,
                                  given_name=fullname,
                                  email=email)
        user.save()

        if role == MANAGER:
            self.make_manager(user, auth=auth)
        else:
            self.make_member(user, auth=auth)

        return user
Exemple #8
0
def claim_user_post(node, **kwargs):
    """View for claiming a user from the X-editable form on a project page.
    """
    reqdata = request.json
    # Unreg user
    user = User.load(reqdata['pk'])
    unclaimed_data = user.get_unclaimed_record(node._primary_key)
    # Submitted through X-editable
    if 'value' in reqdata:  # Submitted email address
        email = reqdata['value'].lower().strip()
        claimer = get_user(email=email)
        if claimer and claimer.is_registered:
            send_claim_registered_email(claimer=claimer, unreg_user=user,
                node=node)
        else:
            send_claim_email(email, user, node, notify=True)
    # TODO(sloria): Too many assumptions about the request data. Just use
    elif 'claimerId' in reqdata:  # User is logged in and confirmed identity
        claimer_id = reqdata['claimerId']
        claimer = User.load(claimer_id)
        send_claim_registered_email(claimer=claimer, unreg_user=user, node=node)
        email = claimer.username
    else:
        raise HTTPError(http.BAD_REQUEST)
    return {
        'status': 'success',
        'email': email,
        'fullname': unclaimed_data['name']
    }
Exemple #9
0
def deserialize_contributors(node, user_dicts, auth, validate=False):
    """View helper that returns a list of User objects from a list of
    serialized users (dicts). The users in the list may be registered or
    unregistered users.

    e.g. ``[{'id': 'abc123', 'registered': True, 'fullname': ..},
            {'id': None, 'registered': False, 'fullname'...},
            {'id': '123ab', 'registered': False, 'fullname': ...}]

    If a dict represents an unregistered user without an ID, creates a new
    unregistered User record.

    :param Node node: The node to add contributors to
    :param list(dict) user_dicts: List of serialized users in the format above.
    :param Auth auth:
    :param bool validate: Whether to validate and sanitize fields (if necessary)
    """

    # Add the registered contributors
    contribs = []
    for contrib_dict in user_dicts:
        fullname = contrib_dict['fullname']
        visible = contrib_dict['visible']
        email = contrib_dict.get('email')

        if validate is True:
            # Validate and sanitize inputs as needed. Email will raise error if invalid.
            # TODO Edge case bug: validation and saving are performed in same loop, so all in list
            # up to the invalid entry will be saved. (communicate to the user what needs to be retried)
            fullname = sanitize.strip_html(fullname)
            if not fullname:
                raise ValidationError('Full name field cannot be empty')
            if email:
                validate_email(email)  # Will raise a ValidationError if email invalid

        if contrib_dict['id']:
            contributor = OSFUser.load(contrib_dict['id'])
        else:
            try:
                contributor = OSFUser.create_unregistered(
                    fullname=fullname,
                    email=email)
                contributor.save()
            except ValidationError:
                ## FIXME: This suppresses an exception if ID not found & new validation fails; get_user will return None
                contributor = get_user(email=email)

        # Add unclaimed record if necessary
        if not contributor.is_registered:
            contributor.add_unclaimed_record(node, referrer=auth.user,
                given_name=fullname,
                email=email)
            contributor.save()

        contribs.append({
            'user': contributor,
            'visible': visible,
            'permissions': expand_permissions(contrib_dict.get('permission'))
        })
    return contribs
Exemple #10
0
def get_user_from_cas_resp(cas_resp):
    """
    Given a CAS service validation response, attempt to retrieve user information and next action.
    The `user` in `cas_resp` is the unique GUID of the user. Please do not use the primary key `id`
    or the email `username`. This holds except for the first step of ORCiD login.

    :param cas_resp: the cas service validation response
    :return: the user, the external_credential, and the next action
    """
    from osf.models import OSFUser
    if cas_resp.user:
        user = OSFUser.load(cas_resp.user)
        # cas returns a valid OSF user id
        if user:
            return user, None, 'authenticate'
        # cas does not return a valid OSF user id
        else:
            external_credential = validate_external_credential(cas_resp.user)
            # invalid cas response
            if not external_credential:
                return None, None, None
            # cas returns a valid external credential
            user = get_user(
                external_id_provider=external_credential['provider'],
                external_id=external_credential['id'])
            # existing user found
            if user:
                return user, external_credential, 'authenticate'
            # user first time login through external identity provider
            else:
                return None, external_credential, 'external_first_login'
Exemple #11
0
def before_request():
    # TODO: Fix circular import
    from framework.auth.core import get_user
    from framework.auth import cas
    from website.util import time as util_time

    # Central Authentication Server Ticket Validation and Authentication
    ticket = request.args.get('ticket')
    if ticket:
        service_url = furl.furl(request.url)
        service_url.args.pop('ticket')
        # Attempt to authenticate wih CAS, and return a proper redirect response
        return cas.make_response_from_ticket(ticket=ticket,
                                             service_url=service_url.url)

    if request.authorization:
        user = get_user(email=request.authorization.username,
                        password=request.authorization.password)
        # Create an empty session
        # TODO: Shoudn't need to create a session for Basic Auth
        user_session = Session()
        set_session(user_session)

        if user:
            user_addon = user.get_addon('twofactor')
            if user_addon and user_addon.is_confirmed:
                otp = request.headers.get('X-OSF-OTP')
                if otp is None or not user_addon.verify_code(otp):
                    # Must specify two-factor authentication OTP code or invalid two-factor authentication OTP code.
                    user_session.data['auth_error_code'] = http.UNAUTHORIZED
                    return
            user_session.data['auth_user_username'] = user.username
            user_session.data['auth_user_id'] = user._primary_key
            user_session.data['auth_user_fullname'] = user.fullname
        else:
            # Invalid key: Not found in database
            user_session.data['auth_error_code'] = http.UNAUTHORIZED
        return

    cookie = request.cookies.get(settings.COOKIE_NAME)
    if cookie:
        try:
            session_id = itsdangerous.Signer(
                settings.SECRET_KEY).unsign(cookie)
            user_session = Session.load(session_id) or Session(_id=session_id)
        except itsdangerous.BadData:
            return
        if not util_time.throttle_period_expired(user_session.date_created,
                                                 settings.OSF_SESSION_TIMEOUT):
            if user_session.data.get(
                    'auth_user_id') and 'api' not in request.url:
                database['user'].update(
                    {'_id': user_session.data.get('auth_user_id')},
                    {'$set': {
                        'date_last_login': datetime.utcnow()
                    }},
                    w=0)
            set_session(user_session)
        else:
            remove_session(user_session)
Exemple #12
0
def get_admin_users(admins):
    """Returns a list of user objects

    If used in conjunction with MeetingForm it will already have checked for
    emails that don't match OSF users.
    """
    return [get_user(email=e) for e in admins]
Exemple #13
0
def deserialize_contributors(node, user_dicts, auth, validate=False):
    """View helper that returns a list of User objects from a list of
    serialized users (dicts). The users in the list may be registered or
    unregistered users.

    e.g. ``[{'id': 'abc123', 'registered': True, 'fullname': ..},
            {'id': None, 'registered': False, 'fullname'...},
            {'id': '123ab', 'registered': False, 'fullname': ...}]

    If a dict represents an unregistered user without an ID, creates a new
    unregistered User record.

    :param Node node: The node to add contributors to
    :param list(dict) user_dicts: List of serialized users in the format above.
    :param Auth auth:
    :param bool validate: Whether to validate and sanitize fields (if necessary)
    """

    # Add the registered contributors
    contribs = []
    for contrib_dict in user_dicts:
        fullname = contrib_dict['fullname']
        visible = contrib_dict['visible']
        email = contrib_dict.get('email')

        if validate is True:
            # Validate and sanitize inputs as needed. Email will raise error if invalid.
            # TODO Edge case bug: validation and saving are performed in same loop, so all in list
            # up to the invalid entry will be saved. (communicate to the user what needs to be retried)
            fullname = sanitize.strip_html(fullname)
            if not fullname:
                raise ValidationError('Full name field cannot be empty')
            if email:
                validate_email(email)  # Will raise a ValidationError if email invalid

        if contrib_dict['id']:
            contributor = OSFUser.load(contrib_dict['id'])
        else:
            try:
                contributor = OSFUser.create_unregistered(
                    fullname=fullname,
                    email=email)
                contributor.save()
            except ValidationError:
                ## FIXME: This suppresses an exception if ID not found & new validation fails; get_user will return None
                contributor = get_user(email=email)

        # Add unclaimed record if necessary
        if not contributor.is_registered:
            contributor.add_unclaimed_record(node, referrer=auth.user,
                given_name=fullname,
                email=email)
            contributor.save()

        contribs.append({
            'user': contributor,
            'visible': visible,
            'permissions': expand_permissions(contrib_dict.get('permission'))
        })
    return contribs
Exemple #14
0
def claim_user_post(node, **kwargs):
    """
    View for claiming a user from the X-editable form on a project page.

    :param node: the project node
    :return:
    """

    request_data = request.json

    # The unclaimed user
    unclaimed_user = User.load(request_data["pk"])
    unclaimed_data = unclaimed_user.get_unclaimed_record(node._primary_key)

    # Claimer is not logged in and submit her/his email through X-editable, stored in `request_data['value']`
    if "value" in request_data:
        email = request_data["value"].lower().strip()
        claimer = get_user(email=email)
        # registered user
        if claimer and claimer.is_registered:
            send_claim_registered_email(claimer, unclaimed_user, node)
        # unregistered user
        else:
            send_claim_email(email, unclaimed_user, node, notify=True)
    # Claimer is logged in with confirmed identity stored in `request_data['claimerId']`
    elif "claimerId" in request_data:
        claimer_id = request_data["claimerId"]
        claimer = User.load(claimer_id)
        send_claim_registered_email(claimer, unclaimed_user, node)
        email = claimer.username
    else:
        raise HTTPError(http.BAD_REQUEST)

    return {"status": "success", "email": email, "fullname": unclaimed_data["name"]}
Exemple #15
0
def claim_user_post(node, **kwargs):
    """View for claiming a user from the X-editable form on a project page.
    """
    reqdata = request.json
    # Unreg user
    user = User.load(reqdata['pk'])
    unclaimed_data = user.get_unclaimed_record(node._primary_key)
    # Submitted through X-editable
    if 'value' in reqdata:  # Submitted email address
        email = reqdata['value'].lower().strip()
        claimer = get_user(email=email)
        if claimer and claimer.is_registered:
            send_claim_registered_email(claimer=claimer,
                                        unreg_user=user,
                                        node=node)
        else:
            send_claim_email(email, user, node, notify=True)
    # TODO(sloria): Too many assumptions about the request data. Just use
    elif 'claimerId' in reqdata:  # User is logged in and confirmed identity
        claimer_id = reqdata['claimerId']
        claimer = User.load(claimer_id)
        send_claim_registered_email(claimer=claimer,
                                    unreg_user=user,
                                    node=node)
        email = claimer.username
    else:
        raise HTTPError(http.BAD_REQUEST)
    return {
        'status': 'success',
        'email': email,
        'fullname': unclaimed_data['name']
    }
Exemple #16
0
def get_user_from_cas_resp(cas_resp):
    """
    Given a CAS service validation response, attempt to retrieve user information and next action.

    :param cas_resp: the cas service validation response
    :return: the user, the external_credential, and the next action
    """

    if cas_resp.user:
        user = User.load(cas_resp.user)
        # cas returns a valid OSF user id
        if user:
            return user, None, 'authenticate'
        # cas does not return a valid OSF user id
        else:
            external_credential = validate_external_credential(cas_resp.user)
            # invalid cas response
            if not external_credential:
                return None, None, None
            # cas returns a valid external credential
            user = get_user(external_id_provider=external_credential['provider'],
                            external_id=external_credential['id'])
            # existing user found
            if user:
                return user, external_credential, 'authenticate'
            # user first time login through external identity provider
            else:
                return None, external_credential, 'external_first_login'
Exemple #17
0
def before_request():
    from framework.auth import cas

    # Central Authentication Server Ticket Validation and Authentication
    ticket = request.args.get('ticket')
    if ticket:
        service_url = furl.furl(request.url)
        service_url.args.pop('ticket')
        # Attempt autn wih CAS, and return a proper redirect response
        resp = cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url)
        if request.cookies.get(settings.COOKIE_NAME):
            # TODO: Delete legacy cookie, this special case can be removed anytime after 1/1/2016.
            # A cookie is received which could potentially be a legacy (pre multi-domain) cookie.
            # Issuing a targeted delete of the legacy cookie ensures the user does not end up in a
            # login loop whereby both cookies are sent to the server and one of them at random
            # read for authentication.
            resp.delete_cookie(settings.COOKIE_NAME, domain=None)
        return resp

    if request.authorization:
        # TODO: Fix circular import
        from framework.auth.core import get_user
        user = get_user(
            email=request.authorization.username,
            password=request.authorization.password
        )
        # Create empty session
        # TODO: Shoudn't need to create a session for Basic Auth
        session = Session()
        set_session(session)

        if user:
            user_addon = user.get_addon('twofactor')
            if user_addon and user_addon.is_confirmed:
                otp = request.headers.get('X-OSF-OTP')
                if otp is None or not user_addon.verify_code(otp):
                    # Must specify two-factor authentication OTP code or invalid two-factor
                    # authentication OTP code.
                    session.data['auth_error_code'] = http.UNAUTHORIZED
                    return

            session.data['auth_user_username'] = user.username
            session.data['auth_user_id'] = user._primary_key
            session.data['auth_user_fullname'] = user.fullname
        else:
            # Invalid key: Not found in database
            session.data['auth_error_code'] = http.UNAUTHORIZED
        return

    cookie = request.cookies.get(settings.COOKIE_NAME)
    if cookie:
        try:
            session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie)
            session = Session.load(session_id) or Session(_id=session_id)
        except itsdangerous.BadData:
            return
        if session.data.get('auth_user_id') and 'api' not in request.url:
            database['user'].update({'_id': session.data.get('auth_user_id')}, {'$set': {'date_last_login': datetime.utcnow()}}, w=0)
        set_session(session)
Exemple #18
0
def before_request():
    from framework.auth import authenticate
    from framework.auth.core import User
    from framework.auth import cas

    # Central Authentication Server Ticket Validation and Authentication
    ticket = request.args.get('ticket')
    if ticket:
        service_url = furl.furl(request.url)
        service_url.args.pop('ticket')
        # Attempt autn wih CAS, and return a proper redirect response
        return cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url)

    # Central Authentication Server OAuth Bearer Token
    authorization = request.headers.get('Authorization')
    if authorization and authorization.startswith('Bearer '):
        client = cas.get_client()
        try:
            access_token = cas.parse_auth_header(authorization)
        except cas.CasTokenError as err:
            # NOTE: We assume that the request is an AJAX request
            return jsonify({'message_short': 'Invalid Bearer token', 'message_long': err.args[0]}), http.UNAUTHORIZED
        cas_resp = client.profile(access_token)
        if cas_resp.authenticated:
            user = User.load(cas_resp.user)
            return authenticate(user, access_token=access_token, response=None)
        return make_response('', http.UNAUTHORIZED)

    if request.authorization:
        # TODO: Fix circular import
        from framework.auth.core import get_user
        user = get_user(
            email=request.authorization.username,
            password=request.authorization.password
        )
        # Create empty session
        # TODO: Shoudn't need to create a session for Basic Auth
        session = Session()

        if user:
            session.data['auth_user_username'] = user.username
            session.data['auth_user_id'] = user._primary_key
            session.data['auth_user_fullname'] = user.fullname
        else:
            # Invalid key: Not found in database
            session.data['auth_error_code'] = http.FORBIDDEN

        set_session(session)
        return

    cookie = request.cookies.get(settings.COOKIE_NAME)
    if cookie:
        try:
            session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie)
            session = Session.load(session_id) or Session(_id=session_id)
            set_session(session)
            return
        except:
            pass
Exemple #19
0
    def post(self, request, *args, **kwargs):
        claimer = request.user
        email = (request.data.get('email', None) or '').lower().strip()
        record_id = (request.data.get('id', None) or '').lower().strip()
        if not record_id:
            raise ValidationError('Must specify record "id".')
        claimed_user = self.get_user(
            check_permissions=True)  # Ensures claimability
        if claimed_user.is_disabled:
            raise ValidationError('Cannot claim disabled account.')
        try:
            record_referent = Guid.objects.get(_id=record_id).referent
        except Guid.DoesNotExist:
            raise NotFound('Unable to find specified record.')

        try:
            unclaimed_record = claimed_user.unclaimed_records[
                record_referent._id]
        except KeyError:
            if isinstance(
                    record_referent, Preprint
            ) and record_referent.node and record_referent.node._id in claimed_user.unclaimed_records:
                record_referent = record_referent.node
                unclaimed_record = claimed_user.unclaimed_records[
                    record_referent._id]
            else:
                raise NotFound('Unable to find specified record.')

        if claimer.is_anonymous and email:
            claimer = get_user(email=email)
            try:
                if claimer and claimer.is_registered:
                    self._send_claim_email(claimer,
                                           claimed_user,
                                           record_referent,
                                           registered=True)
                else:
                    self._send_claim_email(email,
                                           claimed_user,
                                           record_referent,
                                           notify=True,
                                           registered=False)
            except HTTPError as e:
                raise ValidationError(e.data['message_long'])
        elif isinstance(claimer, OSFUser):
            if unclaimed_record.get('referrer_id', '') == claimer._id:
                raise ValidationError('Referrer cannot claim user.')
            try:
                self._send_claim_email(claimer,
                                       claimed_user,
                                       record_referent,
                                       registered=True)
            except HTTPError as e:
                raise ValidationError(e.data['message_long'])

        else:
            raise ValidationError(
                'Must either be logged in or specify claim email.')
        return Response(status=status.HTTP_204_NO_CONTENT)
Exemple #20
0
 def clean_admins(self):
     emails = self.cleaned_data['admins']
     for email in emails:
         user = get_user(email=email)
         if not user or user is None:
             raise forms.ValidationError(
                 '{} does not have an OSF account'.format(email))
     return emails
Exemple #21
0
 def clean_admins(self):
     emails = self.cleaned_data['admins']
     for email in emails:
         user = get_user(email=email)
         if not user or user is None:
             raise forms.ValidationError(
                 '{} does not have an OSF account'.format(email)
             )
     return emails
Exemple #22
0
def before_request():
    from framework.auth import cas
    from website.util import time as util_time

    # Central Authentication Server Ticket Validation and Authentication
    ticket = request.args.get('ticket')
    if ticket:
        service_url = furl.furl(request.url)
        service_url.args.pop('ticket')
        # Attempt autn wih CAS, and return a proper redirect response
        return cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url)

    if request.authorization:
        # TODO: Fix circular import
        from framework.auth.core import get_user
        user = get_user(
            email=request.authorization.username,
            password=request.authorization.password
        )
        # Create empty session
        # TODO: Shoudn't need to create a session for Basic Auth
        session = Session()
        set_session(session)

        if user:
            user_addon = user.get_addon('twofactor')
            if user_addon and user_addon.is_confirmed:
                otp = request.headers.get('X-OSF-OTP')
                if otp is None or not user_addon.verify_code(otp):
                    # Must specify two-factor authentication OTP code or invalid two-factor
                    # authentication OTP code.
                    session.data['auth_error_code'] = http.UNAUTHORIZED
                    return

            session.data['auth_user_username'] = user.username
            session.data['auth_user_id'] = user._primary_key
            session.data['auth_user_fullname'] = user.fullname
        else:
            # Invalid key: Not found in database
            session.data['auth_error_code'] = http.UNAUTHORIZED
        return

    cookie = request.cookies.get(settings.COOKIE_NAME)
    if cookie:
        try:
            session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie)
            session = Session.load(session_id) or Session(_id=session_id)
        except itsdangerous.BadData:
            return

        if not util_time.throttle_period_expired(session.date_created, settings.OSF_SESSION_TIMEOUT):
            if session.data.get('auth_user_id') and 'api' not in request.url:
                database['user'].update({'_id': session.data.get('auth_user_id')}, {'$set': {'date_last_login': datetime.utcnow()}}, w=0)
            set_session(session)
        else:
            remove_session(session)
Exemple #23
0
    def authenticate_credentials(self, userid, password):
        """
        Authenticate the userid and password against username and password.
        """
        user = get_user(email=userid, password=password)

        if userid and user is None:
            raise exceptions.AuthenticationFailed(_('Invalid username/password.'))
        elif userid is None and password is None:
            raise exceptions.NotAuthenticated()
        return (user, None)
Exemple #24
0
    def authenticate_credentials(self, userid, password):
        """
        Authenticate the userid and password against username and password.
        """
        user = get_user(email=userid, password=password)

        if userid and user is None:
            raise exceptions.AuthenticationFailed(_('Invalid username/password.'))
        elif userid is None and password is None:
            raise exceptions.NotAuthenticated()
        return (user, None)
Exemple #25
0
def before_request():
    from framework.auth import cas

    # Central Authentication Server Ticket Validation and Authentication
    ticket = request.args.get('ticket')
    if ticket:
        service_url = furl.furl(request.url)
        service_url.args.pop('ticket')
        # Attempt autn wih CAS, and return a proper redirect response
        resp = cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url)
        if request.cookies.get(settings.COOKIE_NAME):
            # TODO: Delete legacy cookie, this special case can be removed anytime after 1/1/2016.
            # A cookie is received which could potentially be a legacy (pre multi-domain) cookie.
            # Issuing a targeted delete of the legacy cookie ensures the user does not end up in a
            # login loop whereby both cookies are sent to the server and one of them at random
            # read for authentication.
            resp.delete_cookie(settings.COOKIE_NAME, domain=None)
        return resp

    if request.authorization:
        # TODO: Fix circular import
        from framework.auth.core import get_user
        user = get_user(
            email=request.authorization.username,
            password=request.authorization.password
        )
        # Create empty session
        # TODO: Shoudn't need to create a session for Basic Auth
        session = Session()

        if user:
            session.data['auth_user_username'] = user.username
            session.data['auth_user_id'] = user._primary_key
            session.data['auth_user_fullname'] = user.fullname
            user.date_last_login = datetime.utcnow()
            user.save()
        else:
            # Invalid key: Not found in database
            session.data['auth_error_code'] = http.FORBIDDEN

        set_session(session)
        return

    cookie = request.cookies.get(settings.COOKIE_NAME)
    if cookie:
        try:
            session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie)
            session = Session.load(session_id) or Session(_id=session_id)
        except itsdangerous.BadData:
            return
        if session.data.get('auth_user_id'):
            database['user'].update({'_id': session.data.get('auth_user_id')}, {'$set': {'date_last_login': datetime.utcnow()}}, w=0)
        set_session(session)
Exemple #26
0
def before_request():
    from framework.auth import cas

    # Central Authentication Server Ticket Validation and Authentication
    ticket = request.args.get('ticket')
    if ticket:
        service_url = furl.furl(request.url)
        service_url.args.pop('ticket')
        # Attempt autn wih CAS, and return a proper redirect response
        resp = cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url)
        if request.cookies.get(settings.COOKIE_NAME):
            # TODO: Delete legacy cookie, this special case can be removed anytime after 1/1/2016.
            # A cookie is received which could potentially be a legacy (pre multi-domain) cookie.
            # Issuing a targeted delete of the legacy cookie ensures the user does not end up in a
            # login loop whereby both cookies are sent to the server and one of them at random
            # read for authentication.
            resp.delete_cookie(settings.COOKIE_NAME, domain=None)
        return resp

    if request.authorization:
        # TODO: Fix circular import
        from framework.auth.core import get_user
        user = get_user(
            email=request.authorization.username,
            password=request.authorization.password
        )
        # Create empty session
        # TODO: Shoudn't need to create a session for Basic Auth
        session = Session()

        if user:
            session.data['auth_user_username'] = user.username
            session.data['auth_user_id'] = user._primary_key
            session.data['auth_user_fullname'] = user.fullname
        else:
            # Invalid key: Not found in database
            session.data['auth_error_code'] = http.FORBIDDEN

        set_session(session)
        return

    cookie = request.cookies.get(settings.COOKIE_NAME)
    if cookie:
        try:
            session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie)
            session = Session.load(session_id) or Session(_id=session_id)
            set_session(session)
            return
        except:
            pass
Exemple #27
0
def get_or_create_user(fullname, address, is_spam=False):
    """Get or create user by email address.

    :param str fullname: User full name
    :param str address: User email address
    :param bool is_spam: User flagged as potential spam
    :return: Tuple of (user, created)
    """
    user = get_user(email=address)
    if user:
        return user, False
    else:
        password = str(uuid.uuid4())
        user = User.create_confirmed(address, password, fullname)
        user.verification_key = generate_verification_key()
        if is_spam:
            user.system_tags.append('is_spam')
        return user, True
Exemple #28
0
def get_or_create_user(fullname, address, is_spam=False):
    """Get or create user by email address.

    :param str fullname: User full name
    :param str address: User email address
    :param bool is_spam: User flagged as potential spam
    :return: Tuple of (user, created)
    """
    user = get_user(email=address)
    if user:
        return user, False
    else:
        password = str(uuid.uuid4())
        user = User.create_confirmed(address, password, fullname)
        user.verification_key = generate_verification_key()
        if is_spam:
            user.system_tags.append('is_spam')
        return user, True
Exemple #29
0
    def post(self, request, *args, **kwargs):
        claimer = request.user
        email = (request.data.get('email', None) or '').lower().strip()
        record_id = (request.data.get('id', None) or '').lower().strip()
        if not record_id:
            raise ValidationError('Must specify record "id".')
        claimed_user = self.get_user(check_permissions=True)  # Ensures claimability
        if claimed_user.is_disabled:
            raise ValidationError('Cannot claim disabled account.')
        try:
            record_referent = Guid.objects.get(_id=record_id).referent
        except Guid.DoesNotExist:
            raise NotFound('Unable to find specified record.')

        try:
            unclaimed_record = claimed_user.unclaimed_records[record_referent._id]
        except KeyError:
            if isinstance(record_referent, Preprint) and record_referent.node and record_referent.node._id in claimed_user.unclaimed_records:
                record_referent = record_referent.node
                unclaimed_record = claimed_user.unclaimed_records[record_referent._id]
            else:
                raise NotFound('Unable to find specified record.')

        if claimer.is_anonymous and email:
            claimer = get_user(email=email)
            try:
                if claimer and claimer.is_registered:
                    self._send_claim_email(claimer, claimed_user, record_referent, registered=True)
                else:
                    self._send_claim_email(email, claimed_user, record_referent, notify=True, registered=False)
            except HTTPError as e:
                raise ValidationError(e.data['message_long'])
        elif isinstance(claimer, OSFUser):
            if unclaimed_record.get('referrer_id', '') == claimer._id:
                raise ValidationError('Referrer cannot claim user.')
            try:
                self._send_claim_email(claimer, claimed_user, record_referent, registered=True)
            except HTTPError as e:
                raise ValidationError(e.data['message_long'])

        else:
            raise ValidationError('Must either be logged in or specify claim email.')
        return Response(status=status.HTTP_204_NO_CONTENT)
Exemple #30
0
def before_request():
    from framework.auth import cas

    # Central Authentication Server Ticket Validation and Authentication
    ticket = request.args.get('ticket')
    if ticket:
        service_url = furl.furl(request.url)
        service_url.args.pop('ticket')
        # Attempt autn wih CAS, and return a proper redirect response
        return cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url)

    if request.authorization:
        # TODO: Fix circular import
        from framework.auth.core import get_user
        user = get_user(
            email=request.authorization.username,
            password=request.authorization.password
        )
        # Create empty session
        # TODO: Shoudn't need to create a session for Basic Auth
        session = Session()

        if user:
            session.data['auth_user_username'] = user.username
            session.data['auth_user_id'] = user._primary_key
            session.data['auth_user_fullname'] = user.fullname
        else:
            # Invalid key: Not found in database
            session.data['auth_error_code'] = http.FORBIDDEN

        set_session(session)
        return

    cookie = request.cookies.get(settings.COOKIE_NAME)
    if cookie:
        try:
            session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie)
            session = Session.load(session_id) or Session(_id=session_id)
            set_session(session)
            return
        except:
            pass
Exemple #31
0
def before_request():
    from framework.auth import cas

    # Central Authentication Server Ticket Validation and Authentication
    ticket = request.args.get('ticket')
    if ticket:
        service_url = furl.furl(request.url)
        service_url.args.pop('ticket')
        # Attempt autn wih CAS, and return a proper redirect response
        return cas.make_response_from_ticket(ticket=ticket,
                                             service_url=service_url.url)

    if request.authorization:
        # TODO: Fix circular import
        from framework.auth.core import get_user
        user = get_user(email=request.authorization.username,
                        password=request.authorization.password)
        # Create empty session
        # TODO: Shoudn't need to create a session for Basic Auth
        session = Session()

        if user:
            session.data['auth_user_username'] = user.username
            session.data['auth_user_id'] = user._primary_key
            session.data['auth_user_fullname'] = user.fullname
        else:
            # Invalid key: Not found in database
            session.data['auth_error_code'] = http.FORBIDDEN

        set_session(session)
        return

    cookie = request.cookies.get(settings.COOKIE_NAME)
    if cookie:
        try:
            session_id = itsdangerous.Signer(
                settings.SECRET_KEY).unsign(cookie)
            session = Session.load(session_id) or Session(_id=session_id)
            set_session(session)
            return
        except:
            pass
Exemple #32
0
def invite_contributor_post(node, **kwargs):
    """API view for inviting an unregistered user. Performs validation, but does not actually invite the user.

    Expects JSON arguments with 'fullname' (required) and email (not required).
    """
    fullname = request.json.get('fullname').strip()
    email = request.json.get('email')
    # Validate and sanitize inputs as needed. Email will raise error if invalid.
    fullname = sanitize.strip_html(fullname)
    if email:
        email = email.lower().strip()
        try:
            validate_email(email)
        except ValidationError as e:
            return {'status': 400, 'message': e.message}, 400

    if not fullname:
        return {
            'status': 400,
            'message': 'Full name field cannot be empty'
        }, 400

    # Check if email is in the database
    user = get_user(email=email)
    if user:
        if user.is_registered:
            msg = 'User is already in database. Please go back and try your search again.'
            return {'status': 400, 'message': msg}, 400
        elif node.is_contributor(user):
            msg = 'User with this email address is already a contributor to this project.'
            return {'status': 400, 'message': msg}, 400
        elif not user.is_confirmed:
            serialized = profile_utils.serialize_unregistered(fullname, email)
        else:
            serialized = profile_utils.add_contributor_json(user)
            # use correct display name
            serialized['fullname'] = fullname
            serialized['email'] = email
    else:
        # Create a placeholder
        serialized = profile_utils.serialize_unregistered(fullname, email)
    return {'status': 'success', 'contributor': serialized}
Exemple #33
0
    def authenticate_credentials(self, userid, password):
        """
        Authenticate the user by userid (email) and password.

        :param userid: the username or email
        :param password: the password
        :return: the User
        :raises: NotAuthenticated
        :raises: AuthenticationFailed
        """

        user = get_user(email=userid, password=password)

        if userid and not user:
            raise exceptions.AuthenticationFailed(_('Invalid username/password.'))
        elif userid is None and password is None:
            raise exceptions.NotAuthenticated()

        check_user(user)
        return user, None
Exemple #34
0
    def authenticate_credentials(self, userid, password, request=None):
        """
        Authenticate the user by userid (email) and password.

        :param userid: the username or email
        :param password: the password
        :return: the User
        :raises: NotAuthenticated
        :raises: AuthenticationFailed
        """

        user = get_user(email=userid, password=password)

        if userid and not user:
            raise exceptions.AuthenticationFailed(_('Invalid username/password.'))
        elif userid is None and password is None:
            raise exceptions.NotAuthenticated()

        check_user(user)
        return user, None
Exemple #35
0
def get_or_create_user(fullname, address, is_spam):
    """Get or create user by email address.

    :param str fullname: User full name
    :param str address: User email address
    :param bool is_spam: User flagged as potential spam
    :return: Tuple of (user, created)
    """
    user = get_user(email=address)
    if user:
        return user, False
    else:
        password = str(uuid.uuid4())
        user = User.create_confirmed(address, password, fullname)
        user.verification_key = security.random_string(20)
        if is_spam:
            user.system_tags.append('is_spam')
        user.save()
        signals.user_confirmed.send(user)
        return user, True
Exemple #36
0
def get_or_create_user(fullname, address, is_spam):
    """Get or create user by email address.

    :param str fullname: User full name
    :param str address: User email address
    :param bool is_spam: User flagged as potential spam
    :return: Tuple of (user, created)
    """
    user = get_user(email=address)
    if user:
        return user, False
    else:
        password = str(uuid.uuid4())
        user = User.create_confirmed(address, password, fullname)
        user.verification_key = security.random_string(20)
        if is_spam:
            user.system_tags.append('is_spam')
        # user.save()
        # signals.user_confirmed.send(user)
        return user, True
Exemple #37
0
def get_or_create_user(fullname, address, reset_password=True, is_spam=False):
    """
    Get or create user by fullname and email address.

    :param str fullname: user full name
    :param str address: user email address
    :param boolean reset_password: ask user to reset their password
    :param bool is_spam: user flagged as potential spam
    :return: tuple of (user, created)
    """
    user = get_user(email=address)
    if user:
        return user, False
    else:
        password = str(uuid.uuid4())
        user = User.create_confirmed(address, password, fullname)
        if password:
            user.verification_key_v2 = generate_verification_key(verification_type='password')
        if is_spam:
            user.system_tags.append('is_spam')
        return user, True
Exemple #38
0
def register_unconfirmed(username, password, fullname, campaign=None):
    user = get_user(email=username)
    if not user:
        user = User.create_unconfirmed(
            username=username,
            password=password,
            fullname=fullname,
            campaign=campaign,
        )
        user.save()
        signals.unconfirmed_user_created.send(user)

    elif not user.is_registered:  # User is in db but not registered
        user.add_unconfirmed_email(username)
        user.set_password(password)
        user.fullname = fullname
        user.update_guessed_names()
        user.save()
    else:
        raise DuplicateEmailError('User {0!r} already exists'.format(username))
    return user
Exemple #39
0
def get_or_create_user(fullname, address, reset_password=True, is_spam=False):
    """
    Get or create user by fullname and email address.

    :param str fullname: user full name
    :param str address: user email address
    :param boolean reset_password: ask user to reset their password
    :param bool is_spam: user flagged as potential spam
    :return: tuple of (user, created)
    """
    user = get_user(email=address)
    if user:
        return user, False
    else:
        password = str(uuid.uuid4())
        user = User.create_confirmed(address, password, fullname)
        if password:
            user.verification_key_v2 = generate_verification_key(
                verification_type='password')
        if is_spam:
            user.system_tags.append('is_spam')
        return user, True
Exemple #40
0
def invite_contributor_post(node, **kwargs):
    """API view for inviting an unregistered user. Performs validation, but does not actually invite the user.

    Expects JSON arguments with 'fullname' (required) and email (not required).
    """
    fullname = request.json.get('fullname').strip()
    email = request.json.get('email')
    # Validate and sanitize inputs as needed. Email will raise error if invalid.
    fullname = sanitize.strip_html(fullname)
    if email:
        email = email.lower().strip()
        try:
            validate_email(email)
        except ValidationError as e:
            return {'status': 400, 'message': e.message}, 400

    if not fullname:
        return {'status': 400, 'message': 'Full name field cannot be empty'}, 400

    # Check if email is in the database
    user = get_user(email=email)
    if user:
        if user.is_registered:
            msg = 'User is already in database. Please go back and try your search again.'
            return {'status': 400, 'message': msg}, 400
        elif node.is_contributor(user):
            msg = 'User with this email address is already a contributor to this project.'
            return {'status': 400, 'message': msg}, 400
        elif not user.is_confirmed:
            serialized = profile_utils.serialize_unregistered(fullname, email)
        else:
            serialized = profile_utils.add_contributor_json(user)
            # use correct display name
            serialized['fullname'] = fullname
            serialized['email'] = email
    else:
        # Create a placeholder
        serialized = profile_utils.serialize_unregistered(fullname, email)
    return {'status': 'success', 'contributor': serialized}
Exemple #41
0
def claim_user_post(node, **kwargs):
    """
    View for claiming a user from the X-editable form on a project page.

    :param node: the project node
    :return:
    """

    request_data = request.json

    # The unclaimed user
    unclaimed_user = OSFUser.load(request_data['pk'])
    unclaimed_data = unclaimed_user.get_unclaimed_record(node._primary_key)

    # Claimer is not logged in and submit her/his email through X-editable, stored in `request_data['value']`
    if 'value' in request_data:
        email = request_data['value'].lower().strip()
        claimer = get_user(email=email)
        # registered user
        if claimer and claimer.is_registered:
            send_claim_registered_email(claimer, unclaimed_user, node)
        # unregistered user
        else:
            send_claim_email(email, unclaimed_user, node, notify=True)
    # Claimer is logged in with confirmed identity stored in `request_data['claimerId']`
    elif 'claimerId' in request_data:
        claimer_id = request_data['claimerId']
        claimer = OSFUser.load(claimer_id)
        send_claim_registered_email(claimer, unclaimed_user, node)
        email = claimer.username
    else:
        raise HTTPError(http_status.HTTP_400_BAD_REQUEST)

    return {
        'status': 'success',
        'email': email,
        'fullname': unclaimed_data['name']
    }
Exemple #42
0
def get_or_create_user(fullname, address, reset_password=True, is_spam=False):
    """
    Get or create user by fullname and email address.

    :param str fullname: user full name
    :param str address: user email address
    :param boolean reset_password: ask user to reset their password
    :param bool is_spam: user flagged as potential spam
    :return: tuple of (user, created)
    """
    from osf.models import OSFUser
    user = get_user(email=address)
    if user:
        return user, False
    else:
        password = str(uuid.uuid4())
        user = OSFUser.create_confirmed(address, password, fullname)
        if reset_password:
            user.verification_key_v2 = generate_verification_key(verification_type='password')
        if is_spam:
            user.save()  # need to save in order to add a tag
            user.add_system_tag('is_spam')
        return user, True
Exemple #43
0
def get_or_create_user(fullname, address, reset_password=True, is_spam=False):
    """
    Get or create user by fullname and email address.

    :param str fullname: user full name
    :param str address: user email address
    :param boolean reset_password: ask user to reset their password
    :param bool is_spam: user flagged as potential spam
    :return: tuple of (user, created)
    """
    from osf.models import OSFUser
    user = get_user(email=address)
    if user:
        return user, False
    else:
        password = str(uuid.uuid4())
        user = OSFUser.create_confirmed(address, password, fullname)
        if reset_password:
            user.verification_key_v2 = generate_verification_key(verification_type='password')
        if is_spam:
            user.save()  # need to save in order to add a tag
            user.add_system_tag('is_spam')
        return user, True
Exemple #44
0
 def authenticate(self, username=None, password=None):
     return get_user(email=username, password=password) or None
Exemple #45
0
def before_request():
    # TODO: Fix circular import
    from framework.auth.core import get_user
    from framework.auth import cas
    from framework.utils import throttle_period_expired
    Session = apps.get_model('osf.Session')

    # Central Authentication Server Ticket Validation and Authentication
    ticket = request.args.get('ticket')
    if ticket:
        service_url = furl.furl(request.url)
        service_url.args.pop('ticket')
        # Attempt to authenticate wih CAS, and return a proper redirect response
        return cas.make_response_from_ticket(ticket=ticket,
                                             service_url=service_url.url)

    if request.authorization:
        user = get_user(email=request.authorization.username,
                        password=request.authorization.password)
        # Create an empty session
        # TODO: Shoudn't need to create a session for Basic Auth
        user_session = Session()
        set_session(user_session)

        if user:
            user_addon = user.get_addon('twofactor')
            if user_addon and user_addon.is_confirmed:
                otp = request.headers.get('X-OSF-OTP')
                if otp is None or not user_addon.verify_code(otp):
                    # Must specify two-factor authentication OTP code or invalid two-factor authentication OTP code.
                    user_session.data[
                        'auth_error_code'] = http_status.HTTP_401_UNAUTHORIZED
                    return
            user_session.data['auth_user_username'] = user.username
            user_session.data['auth_user_fullname'] = user.fullname
            if user_session.data.get('auth_user_id',
                                     None) != user._primary_key:
                user_session.data['auth_user_id'] = user._primary_key
                user_session.save()
        else:
            # Invalid key: Not found in database
            user_session.data[
                'auth_error_code'] = http_status.HTTP_401_UNAUTHORIZED
        return

    cookie = request.cookies.get(settings.COOKIE_NAME)
    if cookie:
        try:
            session_id = itsdangerous.Signer(
                settings.SECRET_KEY).unsign(cookie)
            user_session = Session.load(session_id) or Session(_id=session_id)
        except itsdangerous.BadData:
            return
        if not throttle_period_expired(user_session.created,
                                       settings.OSF_SESSION_TIMEOUT):
            # Update date last login when making non-api requests
            if user_session.data.get(
                    'auth_user_id') and 'api' not in request.url:
                OSFUser = apps.get_model('osf.OSFUser')
                (OSFUser.objects.filter(
                    guids___id__isnull=False,
                    guids___id=user_session.data['auth_user_id'])
                 # Throttle updates
                 .filter(
                     Q(date_last_login__isnull=True)
                     | Q(date_last_login__lt=timezone.now() - dt.timedelta(
                         seconds=settings.DATE_LAST_LOGIN_THROTTLE)))).update(
                             date_last_login=timezone.now())
            set_session(user_session)
        else:
            remove_session(user_session)
Exemple #46
0
    def dispatch(self, request, *args, **kwargs):

        eppn = request.environ['HTTP_AUTH_EPPN']
        seps = eppn.split(SHIB_EPPN_SCOPING_SEPARATOR)[-1]
        institution = Institution.objects.filter(
            domains__contains=[str(seps)]).first()
        if not institution:
            return redirect('auth:login')

        if not eppn:
            message = 'login failed: permission denied.'
            logging.info(message)
            messages.error(self.request, message)
            return redirect('auth:login')
        eppn_user = get_user(eppn=eppn)
        if eppn_user:
            try:
                others = eppn_user.affiliated_institutions.exclude(
                    id=institution.id).get()
            except Institution.DoesNotExist:
                pass
            else:
                eppn_user.affiliated_institutions.remove(others)

            eppn_user.affiliated_institutions.add(institution)
            if 'GakuninRDMAdmin' in request.environ['HTTP_AUTH_ENTITLEMENT']:
                # login success
                # code is below this if/else tree
                eppn_user.is_staff = True
                eppn_user.save()
            else:
                # login failure occurs and the screen transits to the error screen
                # not sure about this code
                eppn_user.is_staff = False
                eppn_user.save()
                message = 'login failed: permission denied.'
                logging.info(message)
                messages.error(self.request, message)
                return redirect('auth:login')
        else:
            if 'GakuninRDMAdmin' not in request.environ[
                    'HTTP_AUTH_ENTITLEMENT']:
                message = 'login failed: no user with matching eppn'
                messages.error(self.request, message)
                return redirect('auth:login')
            else:
                new_user, created = get_or_create_user(
                    request.environ['HTTP_AUTH_DISPLAYNAME'] or 'NO NAME',
                    eppn,
                    reset_password=False)
                USE_EPPN = login_by_eppn()
                if USE_EPPN:
                    new_user.eppn = eppn
                    new_user.have_email = False
                else:
                    new_user.eppn = None
                    new_user.have_email = True
                new_user.is_staff = True
                new_user.eppn = eppn
                new_user.have_email = False
                new_user.save()
                new_user.affiliated_institutions.add(institution)
                eppn_user = new_user

        guid = Guid.objects.get(
            object_id=eppn_user.id,
            content_type_id=ContentType.objects.get_for_model(OSFUser).id)
        if not userkey_generation_check(guid._id):
            userkey_generation(guid._id)
        login(request,
              eppn_user,
              backend='api.base.authentication.backends.ODMBackend')

        # Transit to the administrator's home screen
        return redirect(self.get_success_url())
Exemple #47
0
def before_request():
    # TODO: Fix circular import
    from framework.auth.core import get_user
    from framework.auth import cas
    from website.util import time as util_time
    Session = apps.get_model('osf.Session')

    # Central Authentication Server Ticket Validation and Authentication
    ticket = request.args.get('ticket')
    if ticket:
        service_url = furl.furl(request.url)
        service_url.args.pop('ticket')
        # Attempt to authenticate wih CAS, and return a proper redirect response
        return cas.make_response_from_ticket(ticket=ticket, service_url=service_url.url)

    if request.authorization:
        user = get_user(
            email=request.authorization.username,
            password=request.authorization.password
        )
        # Create an empty session
        # TODO: Shoudn't need to create a session for Basic Auth
        user_session = Session()
        set_session(user_session)

        if user:
            user_addon = user.get_addon('twofactor')
            if user_addon and user_addon.is_confirmed:
                otp = request.headers.get('X-OSF-OTP')
                if otp is None or not user_addon.verify_code(otp):
                    # Must specify two-factor authentication OTP code or invalid two-factor authentication OTP code.
                    user_session.data['auth_error_code'] = http.UNAUTHORIZED
                    return
            user_session.data['auth_user_username'] = user.username
            user_session.data['auth_user_fullname'] = user.fullname
            if user_session.data.get('auth_user_id', None) != user._primary_key:
                user_session.data['auth_user_id'] = user._primary_key
                user_session.save()
        else:
            # Invalid key: Not found in database
            user_session.data['auth_error_code'] = http.UNAUTHORIZED
        return

    cookie = request.cookies.get(settings.COOKIE_NAME)
    if cookie:
        try:
            session_id = itsdangerous.Signer(settings.SECRET_KEY).unsign(cookie)
            user_session = Session.load(session_id) or Session(_id=session_id)
        except itsdangerous.BadData:
            return
        if not util_time.throttle_period_expired(user_session.created, settings.OSF_SESSION_TIMEOUT):
            # Update date last login when making non-api requests
            if user_session.data.get('auth_user_id') and 'api' not in request.url:
                OSFUser = apps.get_model('osf.OSFUser')
                (
                    OSFUser.objects
                    .filter(guids___id__isnull=False, guids___id=user_session.data['auth_user_id'])
                    # Throttle updates
                    .filter(Q(date_last_login__isnull=True) | Q(date_last_login__lt=timezone.now() - dt.timedelta(seconds=settings.DATE_LAST_LOGIN_THROTTLE)))
                ).update(date_last_login=timezone.now())
            set_session(user_session)
        else:
            remove_session(user_session)
Exemple #48
0
def before_request():
    from framework import sentry
    from framework.auth import cas
    from framework.auth.core import User
    from framework.auth import authenticate
    from framework.routing import json_renderer

    # Central Authentication Server Ticket Validation and Authentication
    ticket = request.args.get('ticket')
    if ticket:
        service_url = furl.furl(request.url)
        service_url.args.pop('ticket')
        # Attempt autn wih CAS, and return a proper redirect response
        return cas.make_response_from_ticket(ticket=ticket,
                                             service_url=service_url.url)

    # Central Authentication Server OAuth Bearer Token
    authorization = request.headers.get('Authorization')
    if authorization and authorization.startswith('Bearer '):
        client = cas.get_client()
        try:
            access_token = cas.parse_auth_header(authorization)
            cas_resp = client.profile(access_token)
        except cas.CasError as err:
            sentry.log_exception()
            # NOTE: We assume that the request is an AJAX request
            return json_renderer(err)
        if cas_resp.authenticated:
            user = User.load(cas_resp.user)
            return authenticate(user, access_token=access_token, response=None)
        return make_response('', http.UNAUTHORIZED)

    if request.authorization:
        # TODO: Fix circular import
        from framework.auth.core import get_user
        user = get_user(email=request.authorization.username,
                        password=request.authorization.password)
        # Create empty session
        # TODO: Shoudn't need to create a session for Basic Auth
        session = Session()

        if user:
            session.data['auth_user_username'] = user.username
            session.data['auth_user_id'] = user._primary_key
            session.data['auth_user_fullname'] = user.fullname
        else:
            # Invalid key: Not found in database
            session.data['auth_error_code'] = http.FORBIDDEN

        set_session(session)
        return

    cookie = request.cookies.get(settings.COOKIE_NAME)
    if cookie:
        try:
            session_id = itsdangerous.Signer(
                settings.SECRET_KEY).unsign(cookie)
            session = Session.load(session_id) or Session(_id=session_id)
            set_session(session)
            return
        except:
            pass
 def test_get_user_with_wrong_password_returns_false(self):
     user = UserFactory.build()
     user.set_password('killerqueen')
     assert bool(
         get_user(email=user.username, password='******')
     ) is False
 def test_get_user_by_email(self):
     user = UserFactory()
     assert get_user(email=user.username) == user
     assert get_user(email=user.username.upper()) == user
Exemple #51
0
 def authenticate(self, username=None, password=None):
     return get_user(email=username, password=password) or None
Exemple #52
0
 def test_get_user_by_email(self):
     user = UserFactory()
     assert get_user(email=user.username) == user
     assert get_user(email=user.username.upper()) == user
Exemple #53
0
 def test_get_user_with_wrong_password_returns_false(self):
     user = UserFactory.build()
     user.set_password('killerqueen')
     assert bool(get_user(email=user.username, password='******')) is False