def _auth_push_thread(self):
info = {"Server": self.server.name}
platform_name = None
if self.platform == "linux":
platform_name = "Linux"
elif self.platform == "mac" or self.platform == "ios":
platform_name = "Apple"
elif self.platform == "win":
platform_name = "Windows"
elif self.platform == "chrome":
platform_name = "Chrome OS"
if self.device_name:
info["Device"] = "%s (%s)" % (self.device_name, platform_name)
if self.push_type == DUO_AUTH:
allow, _ = sso.auth_duo(self.user.name, ipaddr=self.remote_ip, type="Connection", info=info)
elif self.push_type == SAML_OKTA_AUTH:
allow = sso.auth_okta(self.user.name, ipaddr=self.remote_ip, type="Connection", info=info)
else:
raise ValueError("Unkown push auth type")
if not allow:
self.user.audit_event(
"user_connection",
('User connection to "%s" denied. ' + "Push authentication failed") % (self.server.name),
remote_addr=self.remote_ip,
)
raise AuthError("User failed push authentication")
def sso_auth_check(self, password):
if GOOGLE_AUTH in self.auth_type:
try:
resp = utils.request.get(AUTH_SERVER +
'/update/google?user=%s&license=%s' % (
urllib.quote(self.email),
settings.app.license,
))
if resp.status_code == 200:
return True
except:
logger.exception('Google auth check error', 'user',
user_id=self.id,
)
return False
elif SLACK_AUTH in self.auth_type:
try:
resp = utils.request.get(AUTH_SERVER +
'/update/slack?user=%s&team=%s&license=%s' % (
urllib.quote(self.name),
urllib.quote(settings.app.sso_match[0]),
settings.app.license,
))
if resp.status_code == 200:
return True
except:
logger.exception('Slack auth check error', 'user',
user_id=self.id,
)
return False
elif SAML_ONELOGIN_AUTH in self.auth_type:
try:
return sso.auth_onelogin(self.name)
except:
logger.exception('OneLogin auth check error', 'user',
user_id=self.id,
)
return False
elif SAML_OKTA_AUTH in self.auth_type:
try:
return sso.auth_okta(self.name)
except:
logger.exception('Okta auth check error', 'user',
user_id=self.id,
)
return False
elif RADIUS_AUTH in self.auth_type:
try:
return sso.verify_radius(self.name, password)[0]
except:
logger.exception('Radius auth check error', 'user',
user_id=self.id,
)
return False
return True
def _auth_push_thread(self):
info={
'Server': self.server.name,
}
platform_name = None
if self.platform == 'linux':
platform_name = 'Linux'
elif self.platform == 'mac' or self.platform == 'ios':
platform_name = 'Apple'
elif self.platform == 'win':
platform_name = 'Windows'
elif self.platform == 'chrome':
platform_name = 'Chrome OS'
if self.device_name:
info['Device'] = '%s (%s)' % (self.device_name, platform_name)
if self.push_type == DUO_AUTH:
allow, _ = sso.auth_duo(
self.user.name,
ipaddr=self.remote_ip,
type='Connection',
info=info,
)
elif self.push_type == SAML_OKTA_AUTH:
allow = sso.auth_okta(
self.user.name,
ipaddr=self.remote_ip,
type='Connection',
info=info,
)
else:
raise ValueError('Unkown push auth type')
if not allow:
self.user.audit_event('user_connection',
('User connection to "%s" denied. ' +
'Push authentication failed') % (
self.server.name),
remote_addr=self.remote_ip,
)
raise AuthError('User failed push authentication')
def _auth_push_thread(self):
info = {
'Server': self.server.name,
}
platform_name = None
if self.platform == 'linux':
platform_name = 'Linux'
elif self.platform == 'mac' or self.platform == 'ios':
platform_name = 'Apple'
elif self.platform == 'win':
platform_name = 'Windows'
elif self.platform == 'chrome':
platform_name = 'Chrome OS'
if self.device_name:
info['Device'] = '%s (%s)' % (self.device_name, platform_name)
if self.push_type == DUO_AUTH:
allow, _ = sso.auth_duo(
self.user.name,
ipaddr=self.remote_ip,
type='Connection',
info=info,
)
elif self.push_type == SAML_OKTA_AUTH:
allow = sso.auth_okta(
self.user.name,
ipaddr=self.remote_ip,
type='Connection',
info=info,
)
else:
raise ValueError('Unkown push auth type')
if not allow:
self.user.audit_event(
'user_connection',
('User connection to "%s" denied. ' +
'Push authentication failed') % (self.server.name),
remote_addr=self.remote_ip,
)
raise AuthError('User failed push authentication')
def sso_auth_check(self, password, remote_ip):
sso_mode = settings.app.sso or ''
auth_server = AUTH_SERVER
if settings.app.dedicated:
auth_server = settings.app.dedicated
if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
resp = requests.get(auth_server +
'/update/google?user=%s&license=%s' % (
urllib.quote(self.email),
settings.app.license,
))
if resp.status_code != 200:
logger.error(
'Google auth check request error',
'user',
user_id=self.id,
user_name=self.name,
status_code=resp.status_code,
content=resp.content,
)
return False
valid, google_groups = sso.verify_google(self.email)
if not valid:
logger.error(
'Google auth check failed',
'user',
user_id=self.id,
user_name=self.name,
)
return False
if settings.app.sso_google_mode == 'groups':
cur_groups = set(self.groups)
new_groups = set(google_groups)
if cur_groups != new_groups:
self.groups = list(new_groups)
self.commit('groups')
return True
except:
logger.exception(
'Google auth check error',
'user',
user_id=self.id,
user_name=self.name,
)
return False
elif AZURE_AUTH in self.auth_type and AZURE_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
resp = requests.get(
auth_server + ('/update/azure?user=%s&license=%s&' +
'directory_id=%s&app_id=%s&app_secret=%s') %
(
urllib.quote(self.name),
settings.app.license,
urllib.quote(settings.app.sso_azure_directory_id),
urllib.quote(settings.app.sso_azure_app_id),
urllib.quote(settings.app.sso_azure_app_secret),
))
if resp.status_code != 200:
logger.error(
'Azure auth check request error',
'user',
user_id=self.id,
user_name=self.name,
status_code=resp.status_code,
content=resp.content,
)
return False
valid, azure_groups = sso.verify_azure(self.name)
if not valid:
logger.error(
'Azure auth check failed',
'user',
user_id=self.id,
user_name=self.name,
)
return False
if settings.app.sso_azure_mode == 'groups':
cur_groups = set(self.groups)
new_groups = set(azure_groups)
if cur_groups != new_groups:
self.groups = list(new_groups)
self.commit('groups')
return True
except:
logger.exception(
'Azure auth check error',
'user',
user_id=self.id,
user_name=self.name,
)
return False
elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
if not isinstance(settings.app.sso_match, list):
raise TypeError('Invalid sso match')
try:
resp = requests.get(
auth_server + '/update/slack?user=%s&team=%s&license=%s' %
(
urllib.quote(self.name),
urllib.quote(settings.app.sso_match[0]),
settings.app.license,
))
if resp.status_code != 200:
logger.error(
'Slack auth check request error',
'user',
user_id=self.id,
user_name=self.name,
status_code=resp.status_code,
content=resp.content,
)
return False
return True
except:
logger.exception(
'Slack auth check error',
'user',
user_id=self.id,
user_name=self.name,
)
return False
elif SAML_ONELOGIN_AUTH in self.auth_type and \
SAML_ONELOGIN_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_onelogin(self.name)
except:
logger.exception(
'OneLogin auth check error',
'user',
user_id=self.id,
user_name=self.name,
)
return False
elif SAML_OKTA_AUTH in self.auth_type and \
SAML_OKTA_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_okta(self.name)
except:
logger.exception(
'Okta auth check error',
'user',
user_id=self.id,
user_name=self.name,
)
return False
elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode:
try:
return sso.verify_radius(self.name, password)[0]
except:
logger.exception(
'Radius auth check error',
'user',
user_id=self.id,
user_name=self.name,
)
return False
elif PLUGIN_AUTH in self.auth_type:
try:
return sso.plugin_login_authenticate(
user_name=self.name,
password=password,
remote_ip=remote_ip,
)[0]
except:
logger.exception(
'Plugin auth check error',
'user',
user_id=self.id,
user_name=self.name,
)
return False
return True
def sso_auth_check(self, password, remote_ip):
sso_mode = settings.app.sso or ''
auth_server = AUTH_SERVER
if settings.app.dedicated:
auth_server = settings.app.dedicated
if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
resp = requests.get(auth_server +
'/update/google?user=%s&license=%s' % (
urllib.quote(self.email),
settings.app.license,
))
if resp.status_code == 200:
return True
except:
logger.exception(
'Google auth check error',
'user',
user_id=self.id,
)
return False
elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
if not isinstance(settings.app.sso_match, list):
raise TypeError('Invalid sso match')
try:
resp = requests.get(
auth_server + '/update/slack?user=%s&team=%s&license=%s' %
(
urllib.quote(self.name),
urllib.quote(settings.app.sso_match[0]),
settings.app.license,
))
if resp.status_code == 200:
return True
except:
logger.exception(
'Slack auth check error',
'user',
user_id=self.id,
)
return False
elif SAML_ONELOGIN_AUTH in self.auth_type and \
SAML_ONELOGIN_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_onelogin(self.name)
except:
logger.exception(
'OneLogin auth check error',
'user',
user_id=self.id,
)
return False
elif SAML_OKTA_AUTH in self.auth_type and \
SAML_OKTA_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_okta(self.name)
except:
logger.exception(
'Okta auth check error',
'user',
user_id=self.id,
)
return False
elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode:
try:
return sso.verify_radius(self.name, password)[0]
except:
logger.exception(
'Radius auth check error',
'user',
user_id=self.id,
)
return False
elif PLUGIN_AUTH in self.auth_type:
try:
return sso.plugin_login_authenticate(
user_name=self.name,
password=password,
remote_ip=remote_ip,
)[0]
except:
logger.exception(
'Plugin auth check error',
'user',
user_id=self.id,
)
return False
return True
def sso_auth_check(self, password, remote_ip):
sso_mode = settings.app.sso or ''
if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
resp = requests.get(AUTH_SERVER +
'/update/google?user=%s&license=%s' % (
urllib.quote(self.email),
settings.app.license,
))
if resp.status_code == 200:
return True
except:
logger.exception('Google auth check error', 'user',
user_id=self.id,
)
return False
elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
if not isinstance(settings.app.sso_match, list):
raise TypeError('Invalid sso match')
try:
resp = requests.get(AUTH_SERVER +
'/update/slack?user=%s&team=%s&license=%s' % (
urllib.quote(self.name),
urllib.quote(settings.app.sso_match[0]),
settings.app.license,
))
if resp.status_code == 200:
return True
except:
logger.exception('Slack auth check error', 'user',
user_id=self.id,
)
return False
elif SAML_ONELOGIN_AUTH in self.auth_type and \
SAML_ONELOGIN_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_onelogin(self.name)
except:
logger.exception('OneLogin auth check error', 'user',
user_id=self.id,
)
return False
elif SAML_OKTA_AUTH in self.auth_type and \
SAML_OKTA_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_okta(self.name)
except:
logger.exception('Okta auth check error', 'user',
user_id=self.id,
)
return False
elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode:
try:
return sso.verify_radius(self.name, password)[0]
except:
logger.exception('Radius auth check error', 'user',
user_id=self.id,
)
return False
elif PLUGIN_AUTH in self.auth_type:
try:
return sso.plugin_login_authenticate(
user_name=self.name,
password=password,
remote_ip=remote_ip,
)[0]
except:
logger.exception('Plugin auth check error', 'user',
user_id=self.id,
)
return False
return True
def sso_auth_check(self, password, remote_ip):
sso_mode = settings.app.sso or ''
auth_server = AUTH_SERVER
if settings.app.dedicated:
auth_server = settings.app.dedicated
if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
resp = requests.get(auth_server +
'/update/google?user=%s&license=%s' % (
urllib.quote(self.email),
settings.app.license,
))
if resp.status_code != 200:
logger.error('Google auth check request error', 'user',
user_id=self.id,
user_name=self.name,
status_code=resp.status_code,
content=resp.content,
)
return False
valid, google_groups = sso.verify_google(self.email)
if not valid:
logger.error('Google auth check failed', 'user',
user_id=self.id,
user_name=self.name,
)
return False
if settings.app.sso_google_mode == 'groups':
cur_groups = set(self.groups)
new_groups = set(google_groups)
if cur_groups != new_groups:
self.groups = list(new_groups)
self.commit('groups')
return True
except:
logger.exception('Google auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
elif AZURE_AUTH in self.auth_type and AZURE_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
resp = requests.get(auth_server +
('/update/azure?user=%s&license=%s&' +
'directory_id=%s&app_id=%s&app_secret=%s') % (
urllib.quote(self.name),
settings.app.license,
urllib.quote(settings.app.sso_azure_directory_id),
urllib.quote(settings.app.sso_azure_app_id),
urllib.quote(settings.app.sso_azure_app_secret),
))
if resp.status_code != 200:
logger.error('Azure auth check request error', 'user',
user_id=self.id,
user_name=self.name,
status_code=resp.status_code,
content=resp.content,
)
return False
valid, azure_groups = sso.verify_azure(self.name)
if not valid:
logger.error('Azure auth check failed', 'user',
user_id=self.id,
user_name=self.name,
)
return False
if settings.app.sso_azure_mode == 'groups':
cur_groups = set(self.groups)
new_groups = set(azure_groups)
if cur_groups != new_groups:
self.groups = list(new_groups)
self.commit('groups')
return True
except:
logger.exception('Azure auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
elif AUTHZERO_AUTH in self.auth_type and AUTHZERO_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
resp = requests.get(auth_server +
('/update/authzero?user=%s&license=%s&' +
'app_domain=%s&app_id=%s&app_secret=%s') % (
urllib.quote(self.name),
settings.app.license,
urllib.quote(settings.app.sso_authzero_domain),
urllib.quote(settings.app.sso_authzero_app_id),
urllib.quote(settings.app.sso_authzero_app_secret),
))
if resp.status_code != 200:
logger.error('Auth0 auth check request error', 'user',
user_id=self.id,
user_name=self.name,
status_code=resp.status_code,
content=resp.content,
)
return False
valid, authzero_groups = sso.verify_authzero(self.name)
if not valid:
logger.error('Auth0 auth check failed', 'user',
user_id=self.id,
user_name=self.name,
)
return False
if settings.app.sso_authzero_mode == 'groups':
cur_groups = set(self.groups)
new_groups = set(authzero_groups)
if cur_groups != new_groups:
self.groups = list(new_groups)
self.commit('groups')
return True
except:
logger.exception('Auth0 auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
if not isinstance(settings.app.sso_match, list):
raise TypeError('Invalid sso match')
try:
resp = requests.get(auth_server +
'/update/slack?user=%s&team=%s&license=%s' % (
urllib.quote(self.name),
urllib.quote(settings.app.sso_match[0]),
settings.app.license,
))
if resp.status_code != 200:
logger.error('Slack auth check request error', 'user',
user_id=self.id,
user_name=self.name,
status_code=resp.status_code,
content=resp.content,
)
return False
return True
except:
logger.exception('Slack auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
elif SAML_ONELOGIN_AUTH in self.auth_type and \
SAML_ONELOGIN_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_onelogin(self.name)
except:
logger.exception('OneLogin auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
elif SAML_OKTA_AUTH in self.auth_type and \
SAML_OKTA_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_okta(self.name)
except:
logger.exception('Okta auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode:
try:
return sso.verify_radius(self.name, password)[0]
except:
logger.exception('Radius auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
elif PLUGIN_AUTH in self.auth_type:
try:
return sso.plugin_login_authenticate(
user_name=self.name,
password=password,
remote_ip=remote_ip,
)[1]
except:
logger.exception('Plugin auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
return True
def auth_thread():
info={
'Server': self.server.name,
}
platform_name = None
if platform == 'linux':
platform_name = 'Linux'
elif platform == 'mac':
platform_name = 'Apple'
elif platform == 'win':
platform_name = 'Windows'
elif platform == 'chrome':
platform_name = 'Chrome OS'
if device_name:
info['Device'] = '%s (%s)' % (device_name, platform_name)
allow = False
try:
if type == DUO_AUTH:
allow, _ = sso.auth_duo(
user.name,
ipaddr=remote_ip,
type='Connection',
info=info,
)
elif type == SAML_OKTA_AUTH:
allow = sso.auth_okta(
user.name,
ipaddr=remote_ip,
type='Connection',
info=info,
)
else:
raise ValueError('Unkown push auth type')
except:
logger.exception('Push auth server error', 'server',
client_id=client_id,
user_id=user.id,
username=user.name,
server_id=self.server.id,
)
self.instance_com.push_output(
'ERROR Push auth server error client_id=%s' % client_id)
try:
if allow:
self.allow_client(client, org, user, reauth)
else:
logger.LogEntry(message='User failed push ' +
'authentication "%s".' % user.name)
user.audit_event('user_connection',
('User connection to "%s" denied. ' +
'Push authentication failed') % (
self.server.name),
remote_addr=remote_ip,
)
self.instance_com.send_client_deny(
client_id,
key_id,
'User failed push authentication',
)
except:
logger.exception('Push auth error', 'server',
client_id=client_id,
user_id=user.id,
server_id=self.server.id,
)
self.instance_com.push_output(
'ERROR Push auth error client_id=%s' % client_id)
def sso_auth_check(self, password):
if GOOGLE_AUTH in self.auth_type:
try:
resp = utils.request.get(AUTH_SERVER +
'/update/google?user=%s&license=%s' %
(
urllib.quote(self.email),
settings.app.license,
))
if resp.status_code == 200:
return True
except:
logger.exception(
'Google auth check error',
'user',
user_id=self.id,
)
return False
elif SLACK_AUTH in self.auth_type:
try:
resp = utils.request.get(
AUTH_SERVER + '/update/slack?user=%s&team=%s&license=%s' %
(
urllib.quote(self.name),
urllib.quote(settings.app.sso_match[0]),
settings.app.license,
))
if resp.status_code == 200:
return True
except:
logger.exception(
'Slack auth check error',
'user',
user_id=self.id,
)
return False
elif SAML_ONELOGIN_AUTH in self.auth_type:
try:
return sso.auth_onelogin(self.name)
except:
logger.exception(
'OneLogin auth check error',
'user',
user_id=self.id,
)
return False
elif SAML_OKTA_AUTH in self.auth_type:
try:
return sso.auth_okta(self.name)
except:
logger.exception(
'Okta auth check error',
'user',
user_id=self.id,
)
return False
elif RADIUS_AUTH in self.auth_type:
try:
return sso.verify_radius(self.name, password)[0]
except:
logger.exception(
'Radius auth check error',
'user',
user_id=self.id,
)
return False
return True