def _auth_plugin(username, password):
if settings.local.sub_plan != 'enterprise':
return utils.jsonify({
'error': AUTH_INVALID,
'error_msg': AUTH_INVALID_MSG,
}, 401)
valid, org_id, groups = sso.plugin_login_authenticate(
user_name=username,
password=password,
remote_ip=utils.get_remote_addr(),
)
if not valid:
return utils.jsonify({
'error': AUTH_INVALID,
'error_msg': AUTH_INVALID_MSG,
}, 401)
if not org_id:
logger.error(
'Login plugin did not return valid organization name',
'auth',
org_name=org_id,
user_name=username,
)
return utils.jsonify({
'error': AUTH_INVALID,
'error_msg': AUTH_INVALID_MSG,
}, 401)
org = organization.get_by_id(org_id)
if not org:
return flask.abort(405)
usr = org.find_user(name=username)
if not usr:
usr = org.new_user(name=username, type=CERT_CLIENT,
auth_type=PLUGIN_AUTH, groups=list(groups) if groups else None)
usr.audit_event(
'user_created',
'User created with plugin authentication',
remote_addr=utils.get_remote_addr(),
)
event.Event(type=ORGS_UPDATED)
event.Event(type=USERS_UPDATED, resource_id=org.id)
event.Event(type=SERVERS_UPDATED)
else:
if usr.disabled:
return utils.jsonify({
'error': AUTH_DISABLED,
'error_msg': AUTH_DISABLED_MSG,
}, 403)
if groups and groups - set(usr.groups or []):
usr.groups = list(set(usr.groups or []) | groups)
usr.commit('groups')
if usr.auth_type != PLUGIN_AUTH:
usr.auth_type = PLUGIN_AUTH
usr.set_pin(None)
usr.commit(('auth_type', 'pin'))
key_link = org.create_user_key_link(usr.id, one_time=True)
usr.audit_event('user_profile',
'User profile viewed from plugin authentication',
remote_addr=utils.get_remote_addr(),
)
return utils.jsonify({
'redirect': utils.get_url_root() + key_link['view_url'],
}, 202)
def sso_auth_check(self, password, remote_ip):
sso_mode = settings.app.sso or ''
auth_server = AUTH_SERVER
if settings.app.dedicated:
auth_server = settings.app.dedicated
if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
resp = requests.get(auth_server +
'/update/google?user=%s&license=%s' % (
urllib.quote(self.email),
settings.app.license,
))
if resp.status_code != 200:
logger.error(
'Google auth check request error',
'user',
user_id=self.id,
user_name=self.name,
status_code=resp.status_code,
content=resp.content,
)
return False
valid, google_groups = sso.verify_google(self.email)
if not valid:
logger.error(
'Google auth check failed',
'user',
user_id=self.id,
user_name=self.name,
)
return False
if settings.app.sso_google_mode == 'groups':
cur_groups = set(self.groups)
new_groups = set(google_groups)
if cur_groups != new_groups:
self.groups = list(new_groups)
self.commit('groups')
return True
except:
logger.exception(
'Google auth check error',
'user',
user_id=self.id,
user_name=self.name,
)
return False
elif AZURE_AUTH in self.auth_type and AZURE_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
resp = requests.get(
auth_server + ('/update/azure?user=%s&license=%s&' +
'directory_id=%s&app_id=%s&app_secret=%s') %
(
urllib.quote(self.name),
settings.app.license,
urllib.quote(settings.app.sso_azure_directory_id),
urllib.quote(settings.app.sso_azure_app_id),
urllib.quote(settings.app.sso_azure_app_secret),
))
if resp.status_code != 200:
logger.error(
'Azure auth check request error',
'user',
user_id=self.id,
user_name=self.name,
status_code=resp.status_code,
content=resp.content,
)
return False
valid, azure_groups = sso.verify_azure(self.name)
if not valid:
logger.error(
'Azure auth check failed',
'user',
user_id=self.id,
user_name=self.name,
)
return False
if settings.app.sso_azure_mode == 'groups':
cur_groups = set(self.groups)
new_groups = set(azure_groups)
if cur_groups != new_groups:
self.groups = list(new_groups)
self.commit('groups')
return True
except:
logger.exception(
'Azure auth check error',
'user',
user_id=self.id,
user_name=self.name,
)
return False
elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
if not isinstance(settings.app.sso_match, list):
raise TypeError('Invalid sso match')
try:
resp = requests.get(
auth_server + '/update/slack?user=%s&team=%s&license=%s' %
(
urllib.quote(self.name),
urllib.quote(settings.app.sso_match[0]),
settings.app.license,
))
if resp.status_code != 200:
logger.error(
'Slack auth check request error',
'user',
user_id=self.id,
user_name=self.name,
status_code=resp.status_code,
content=resp.content,
)
return False
return True
except:
logger.exception(
'Slack auth check error',
'user',
user_id=self.id,
user_name=self.name,
)
return False
elif SAML_ONELOGIN_AUTH in self.auth_type and \
SAML_ONELOGIN_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_onelogin(self.name)
except:
logger.exception(
'OneLogin auth check error',
'user',
user_id=self.id,
user_name=self.name,
)
return False
elif SAML_OKTA_AUTH in self.auth_type and \
SAML_OKTA_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_okta(self.name)
except:
logger.exception(
'Okta auth check error',
'user',
user_id=self.id,
user_name=self.name,
)
return False
elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode:
try:
return sso.verify_radius(self.name, password)[0]
except:
logger.exception(
'Radius auth check error',
'user',
user_id=self.id,
user_name=self.name,
)
return False
elif PLUGIN_AUTH in self.auth_type:
try:
return sso.plugin_login_authenticate(
user_name=self.name,
password=password,
remote_ip=remote_ip,
)[0]
except:
logger.exception(
'Plugin auth check error',
'user',
user_id=self.id,
user_name=self.name,
)
return False
return True
def _auth_plugin(username, password, remote_addr):
if not settings.local.sub_plan or \
'enterprise' not in settings.local.sub_plan:
journal.entry(
journal.ADMIN_AUTH_FAILURE,
user_name=username,
remote_address=remote_addr,
reason=journal.ADMIN_AUTH_REASON_INVALID_USERNAME,
reason_long='Invalid username',
)
return utils.jsonify(
{
'error': AUTH_INVALID,
'error_msg': AUTH_INVALID_MSG,
}, 401)
has_plugin, valid, org_id, groups = sso.plugin_login_authenticate(
user_name=username,
password=password,
remote_ip=remote_addr,
)
if not has_plugin:
journal.entry(
journal.ADMIN_AUTH_FAILURE,
user_name=username,
remote_address=remote_addr,
reason=journal.ADMIN_AUTH_REASON_INVALID_USERNAME,
reason_long='Invalid username',
)
return utils.jsonify(
{
'error': AUTH_INVALID,
'error_msg': AUTH_INVALID_MSG,
}, 401)
if not valid:
journal.entry(
journal.SSO_AUTH_REASON_PLUGIN_FAILED,
user_name=username,
remote_address=remote_addr,
reason=journal.SSO_AUTH_REASON_PLUGIN_FAILED,
reason_long='Plugin authentication failed',
)
return utils.jsonify(
{
'error': AUTH_INVALID,
'error_msg': AUTH_INVALID_MSG,
}, 401)
if not org_id:
logger.error(
'Login plugin did not return valid organization name',
'auth',
org_name=org_id,
user_name=username,
)
return utils.jsonify(
{
'error': AUTH_INVALID,
'error_msg': AUTH_INVALID_MSG,
}, 401)
org = organization.get_by_id(org_id)
if not org:
logger.error(
'Organization for sso does not exist',
'auth',
org_id=org_id,
)
return flask.abort(405)
usr = org.find_user(name=username)
if not usr:
usr = org.new_user(name=username,
type=CERT_CLIENT,
auth_type=PLUGIN_AUTH,
groups=list(groups) if groups else None)
usr.audit_event(
'user_created',
'User created with plugin authentication',
remote_addr=utils.get_remote_addr(),
)
journal.entry(
journal.USER_CREATE,
usr.journal_data,
event_long='User created with plugin authentication',
remote_address=remote_addr,
)
event.Event(type=ORGS_UPDATED)
event.Event(type=USERS_UPDATED, resource_id=org.id)
event.Event(type=SERVERS_UPDATED)
else:
if usr.disabled:
return utils.jsonify(
{
'error': AUTH_DISABLED,
'error_msg': AUTH_DISABLED_MSG,
}, 403)
if groups and groups - set(usr.groups or []):
usr.groups = list(set(usr.groups or []) | groups)
usr.commit('groups')
if usr.auth_type != PLUGIN_AUTH:
usr.auth_type = PLUGIN_AUTH
usr.set_pin(None)
usr.commit(('auth_type', 'pin'))
key_link = org.create_user_key_link(usr.id, one_time=True)
usr.audit_event(
'user_profile',
'User profile viewed from plugin authentication',
remote_addr=utils.get_remote_addr(),
)
journal.entry(
journal.USER_PROFILE_SUCCESS,
usr.journal_data,
event_long='User profile viewed from plugin authentication',
remote_address=remote_addr,
)
return utils.jsonify(
{
'redirect': utils.get_url_root() + key_link['view_url'],
}, 202)
def _auth_plugin(username, password):
if not settings.local.sub_plan or \
'enterprise' not in settings.local.sub_plan:
return utils.jsonify({
'error': AUTH_INVALID,
'error_msg': AUTH_INVALID_MSG,
}, 401)
valid, org_id, groups = sso.plugin_login_authenticate(
user_name=username,
password=password,
remote_ip=utils.get_remote_addr(),
)
if not valid:
return utils.jsonify({
'error': AUTH_INVALID,
'error_msg': AUTH_INVALID_MSG,
}, 401)
if not org_id:
logger.error(
'Login plugin did not return valid organization name',
'auth',
org_name=org_id,
user_name=username,
)
return utils.jsonify({
'error': AUTH_INVALID,
'error_msg': AUTH_INVALID_MSG,
}, 401)
org = organization.get_by_id(org_id)
if not org:
return flask.abort(405)
usr = org.find_user(name=username)
if not usr:
usr = org.new_user(name=username, type=CERT_CLIENT,
auth_type=PLUGIN_AUTH, groups=list(groups) if groups else None)
usr.audit_event(
'user_created',
'User created with plugin authentication',
remote_addr=utils.get_remote_addr(),
)
event.Event(type=ORGS_UPDATED)
event.Event(type=USERS_UPDATED, resource_id=org.id)
event.Event(type=SERVERS_UPDATED)
else:
if usr.disabled:
return utils.jsonify({
'error': AUTH_DISABLED,
'error_msg': AUTH_DISABLED_MSG,
}, 403)
if groups and groups - set(usr.groups or []):
usr.groups = list(set(usr.groups or []) | groups)
usr.commit('groups')
if usr.auth_type != PLUGIN_AUTH:
usr.auth_type = PLUGIN_AUTH
usr.set_pin(None)
usr.commit(('auth_type', 'pin'))
key_link = org.create_user_key_link(usr.id, one_time=True)
usr.audit_event('user_profile',
'User profile viewed from plugin authentication',
remote_addr=utils.get_remote_addr(),
)
return utils.jsonify({
'redirect': utils.get_url_root() + key_link['view_url'],
}, 202)
def sso_auth_check(self, password, remote_ip):
sso_mode = settings.app.sso or ''
auth_server = AUTH_SERVER
if settings.app.dedicated:
auth_server = settings.app.dedicated
if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
resp = requests.get(auth_server +
'/update/google?user=%s&license=%s' % (
urllib.quote(self.email),
settings.app.license,
))
if resp.status_code == 200:
return True
except:
logger.exception(
'Google auth check error',
'user',
user_id=self.id,
)
return False
elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
if not isinstance(settings.app.sso_match, list):
raise TypeError('Invalid sso match')
try:
resp = requests.get(
auth_server + '/update/slack?user=%s&team=%s&license=%s' %
(
urllib.quote(self.name),
urllib.quote(settings.app.sso_match[0]),
settings.app.license,
))
if resp.status_code == 200:
return True
except:
logger.exception(
'Slack auth check error',
'user',
user_id=self.id,
)
return False
elif SAML_ONELOGIN_AUTH in self.auth_type and \
SAML_ONELOGIN_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_onelogin(self.name)
except:
logger.exception(
'OneLogin auth check error',
'user',
user_id=self.id,
)
return False
elif SAML_OKTA_AUTH in self.auth_type and \
SAML_OKTA_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_okta(self.name)
except:
logger.exception(
'Okta auth check error',
'user',
user_id=self.id,
)
return False
elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode:
try:
return sso.verify_radius(self.name, password)[0]
except:
logger.exception(
'Radius auth check error',
'user',
user_id=self.id,
)
return False
elif PLUGIN_AUTH in self.auth_type:
try:
return sso.plugin_login_authenticate(
user_name=self.name,
password=password,
remote_ip=remote_ip,
)[0]
except:
logger.exception(
'Plugin auth check error',
'user',
user_id=self.id,
)
return False
return True
def sso_auth_check(self, password, remote_ip):
sso_mode = settings.app.sso or ''
if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
resp = requests.get(AUTH_SERVER +
'/update/google?user=%s&license=%s' % (
urllib.quote(self.email),
settings.app.license,
))
if resp.status_code == 200:
return True
except:
logger.exception('Google auth check error', 'user',
user_id=self.id,
)
return False
elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
if not isinstance(settings.app.sso_match, list):
raise TypeError('Invalid sso match')
try:
resp = requests.get(AUTH_SERVER +
'/update/slack?user=%s&team=%s&license=%s' % (
urllib.quote(self.name),
urllib.quote(settings.app.sso_match[0]),
settings.app.license,
))
if resp.status_code == 200:
return True
except:
logger.exception('Slack auth check error', 'user',
user_id=self.id,
)
return False
elif SAML_ONELOGIN_AUTH in self.auth_type and \
SAML_ONELOGIN_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_onelogin(self.name)
except:
logger.exception('OneLogin auth check error', 'user',
user_id=self.id,
)
return False
elif SAML_OKTA_AUTH in self.auth_type and \
SAML_OKTA_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_okta(self.name)
except:
logger.exception('Okta auth check error', 'user',
user_id=self.id,
)
return False
elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode:
try:
return sso.verify_radius(self.name, password)[0]
except:
logger.exception('Radius auth check error', 'user',
user_id=self.id,
)
return False
elif PLUGIN_AUTH in self.auth_type:
try:
return sso.plugin_login_authenticate(
user_name=self.name,
password=password,
remote_ip=remote_ip,
)[0]
except:
logger.exception('Plugin auth check error', 'user',
user_id=self.id,
)
return False
return True
def sso_auth_check(self, password, remote_ip):
sso_mode = settings.app.sso or ''
auth_server = AUTH_SERVER
if settings.app.dedicated:
auth_server = settings.app.dedicated
if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
resp = requests.get(auth_server +
'/update/google?user=%s&license=%s' % (
urllib.quote(self.email),
settings.app.license,
))
if resp.status_code != 200:
logger.error('Google auth check request error', 'user',
user_id=self.id,
user_name=self.name,
status_code=resp.status_code,
content=resp.content,
)
return False
valid, google_groups = sso.verify_google(self.email)
if not valid:
logger.error('Google auth check failed', 'user',
user_id=self.id,
user_name=self.name,
)
return False
if settings.app.sso_google_mode == 'groups':
cur_groups = set(self.groups)
new_groups = set(google_groups)
if cur_groups != new_groups:
self.groups = list(new_groups)
self.commit('groups')
return True
except:
logger.exception('Google auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
elif AZURE_AUTH in self.auth_type and AZURE_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
resp = requests.get(auth_server +
('/update/azure?user=%s&license=%s&' +
'directory_id=%s&app_id=%s&app_secret=%s') % (
urllib.quote(self.name),
settings.app.license,
urllib.quote(settings.app.sso_azure_directory_id),
urllib.quote(settings.app.sso_azure_app_id),
urllib.quote(settings.app.sso_azure_app_secret),
))
if resp.status_code != 200:
logger.error('Azure auth check request error', 'user',
user_id=self.id,
user_name=self.name,
status_code=resp.status_code,
content=resp.content,
)
return False
valid, azure_groups = sso.verify_azure(self.name)
if not valid:
logger.error('Azure auth check failed', 'user',
user_id=self.id,
user_name=self.name,
)
return False
if settings.app.sso_azure_mode == 'groups':
cur_groups = set(self.groups)
new_groups = set(azure_groups)
if cur_groups != new_groups:
self.groups = list(new_groups)
self.commit('groups')
return True
except:
logger.exception('Azure auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
elif AUTHZERO_AUTH in self.auth_type and AUTHZERO_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
resp = requests.get(auth_server +
('/update/authzero?user=%s&license=%s&' +
'app_domain=%s&app_id=%s&app_secret=%s') % (
urllib.quote(self.name),
settings.app.license,
urllib.quote(settings.app.sso_authzero_domain),
urllib.quote(settings.app.sso_authzero_app_id),
urllib.quote(settings.app.sso_authzero_app_secret),
))
if resp.status_code != 200:
logger.error('Auth0 auth check request error', 'user',
user_id=self.id,
user_name=self.name,
status_code=resp.status_code,
content=resp.content,
)
return False
valid, authzero_groups = sso.verify_authzero(self.name)
if not valid:
logger.error('Auth0 auth check failed', 'user',
user_id=self.id,
user_name=self.name,
)
return False
if settings.app.sso_authzero_mode == 'groups':
cur_groups = set(self.groups)
new_groups = set(authzero_groups)
if cur_groups != new_groups:
self.groups = list(new_groups)
self.commit('groups')
return True
except:
logger.exception('Auth0 auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
if not isinstance(settings.app.sso_match, list):
raise TypeError('Invalid sso match')
try:
resp = requests.get(auth_server +
'/update/slack?user=%s&team=%s&license=%s' % (
urllib.quote(self.name),
urllib.quote(settings.app.sso_match[0]),
settings.app.license,
))
if resp.status_code != 200:
logger.error('Slack auth check request error', 'user',
user_id=self.id,
user_name=self.name,
status_code=resp.status_code,
content=resp.content,
)
return False
return True
except:
logger.exception('Slack auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
elif SAML_ONELOGIN_AUTH in self.auth_type and \
SAML_ONELOGIN_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_onelogin(self.name)
except:
logger.exception('OneLogin auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
elif SAML_OKTA_AUTH in self.auth_type and \
SAML_OKTA_AUTH in sso_mode:
if settings.user.skip_remote_sso_check:
return True
try:
return sso.auth_okta(self.name)
except:
logger.exception('Okta auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode:
try:
return sso.verify_radius(self.name, password)[0]
except:
logger.exception('Radius auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
elif PLUGIN_AUTH in self.auth_type:
try:
return sso.plugin_login_authenticate(
user_name=self.name,
password=password,
remote_ip=remote_ip,
)[1]
except:
logger.exception('Plugin auth check error', 'user',
user_id=self.id,
user_name=self.name,
)
return False
return True
