def openid_login_callback(request):
#构造需要检查签名的内容
OPENID_RESPONSE = dict(request.GET)
SIGNED_CONTENT = []
#import json
#print json.dumps(OPENID_RESPONSE, indent=4)
for k in OPENID_RESPONSE['openid.signed'][0].split(","):
response_data = OPENID_RESPONSE["openid.%s" % k]
SIGNED_CONTENT.append("%s:%s\n" % (k, response_data[0]))
SIGNED_CONTENT = "".join(SIGNED_CONTENT).encode("UTF-8")
# 使用associate请求获得的mac_key与SIGNED_CONTENT进行assoc_type hash,
# 检查是否与OpenID Server返回的一致
SIGNED_CONTENT_SIG = base64.b64encode(
hmac.new(base64.b64decode(request.session.get('mac_key', '')),
SIGNED_CONTENT, hashlib.sha256).digest())
if SIGNED_CONTENT_SIG != OPENID_RESPONSE['openid.sig'][0]:
return '认证失败,请重新登录验证'
request.session.pop('mac_key', None)
email = request.GET.get('openid.sreg.email', '')
fullname = request.GET.get('openid.sreg.fullname', '')
next_url = request.GET.get('next', '/')
login_user = User.objects.filter(username__iexact=email)
if login_user.exists():
login_user = login_user[0]
login_user.set_password("sentry_netease_openid_pwd")
login_user.name = fullname # update by hzwangzhiwei @20160329
login_user.save()
else:
#不存在数据,则增加数据数用户表
login_user = User(username=email, name=fullname, email=email)
login_user.set_password("sentry_netease_openid_pwd")
login_user.save() #save to db
# 如果不存在将这个人加入到组织member表中
if not OrganizationMember.objects.filter(
user=login_user, organization=Organization.get_default()).exists():
# 同时给他们默认的trace收集
# 将用户到组织中
orgMember = OrganizationMember(user=login_user,
organization=Organization.get_default())
orgMember.save()
orgMember = OrganizationMember.objects.get(
user=login_user, organization=Organization.get_default())
# 保存组织者到第一个小组
orgMemTeam = OrganizationMemberTeam(organizationmember=orgMember,
team=Team.objects.get(id=1))
orgMemTeam.save()
# HACK: grab whatever the first backend is and assume it works
login_user.backend = settings.AUTHENTICATION_BACKENDS[0]
auth.login(request, login_user)
# can_register should only allow a single registration
request.session.pop('can_register', None)
request.session.pop('needs_captcha', None)
return HttpResponseRedirect(next_url)
def delete(self, request, organization, member_id, team_slug):
"""
Leave a team
Leave a team.
"""
try:
om = self._get_member(request, organization, member_id)
except OrganizationMember.DoesNotExist:
raise ResourceDoesNotExist
if not self._can_access(request, om):
return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400)
try:
team = Team.objects.get(
organization=organization,
slug=team_slug,
)
except Team.DoesNotExist:
raise ResourceDoesNotExist
try:
omt = OrganizationMemberTeam.objects.get(
team=team,
organizationmember=om,
)
except OrganizationMemberTeam.DoesNotExist:
# we need to create the row in order to handle superusers leaving a
# team which they were never a member for (therefor there was never
# a matching row)
omt = OrganizationMemberTeam(
team=team,
organizationmember=om,
# setting this to true ensures it gets saved below
is_active=True,
)
if omt.is_active:
omt.is_active = False
omt.save()
self.create_audit_entry(
request=request,
organization=organization,
target_object=omt.id,
target_user=om.user,
event=AuditLogEntryEvent.MEMBER_LEAVE_TEAM,
data=omt.get_audit_log_data(),
)
return Response(serialize(
team, request.user, TeamWithProjectsSerializer()), status=200)
def save_team_assignments(self, organization_member):
OrganizationMemberTeam.objects.filter(organizationmember=organization_member).delete()
OrganizationMemberTeam.objects.bulk_create([
OrganizationMemberTeam(team=team,
organizationmember=organization_member)
for team in self.cleaned_data['teams']
])
def save_team_assignments(self, organization_member, teams):
# teams may be empty
OrganizationMemberTeam.objects.filter(
organizationmember=organization_member).delete()
OrganizationMemberTeam.objects.bulk_create([
OrganizationMemberTeam(team=team,
organizationmember=organization_member)
for team in teams
])
def sentry_update_team_member(team, organization_member):
model = sentry_find_team_member(team, organization_member)
existing = model is not None
if not existing:
model = OrganizationMemberTeam()
model.organizationmember = organization_member
model.team = team
model.save()
return model, existing
def delete(self, request, organization, member_id, team_slug):
"""
Leave a team
Leave a team.
"""
try:
om = self._get_member(request, organization, member_id)
except OrganizationMember.DoesNotExist:
raise ResourceDoesNotExist
if not self._can_access(request, om):
return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400)
try:
team = Team.objects.get(
organization=organization,
slug=team_slug,
)
except Team.DoesNotExist:
raise ResourceDoesNotExist
try:
omt = OrganizationMemberTeam.objects.get(
team=team,
organizationmember=om,
)
except OrganizationMemberTeam.DoesNotExist:
# we need to create the row in order to handle superusers leaving a
# team which they were never a member for (therefor there was never
# a matching row)
omt = OrganizationMemberTeam(
team=team,
organizationmember=om,
# setting this to true ensures it gets saved below
is_active=True,
)
if omt.is_active:
omt.is_active = False
omt.save()
self.create_audit_entry(
request=request,
organization=organization,
target_object=omt.id,
target_user=om.user,
event=AuditLogEntryEvent.MEMBER_LEAVE_TEAM,
data=omt.get_audit_log_data(),
)
return Response(serialize(team, request.user,
TeamWithProjectsSerializer()),
status=200)
def put(self, request: Request, organization, member_id) -> Response:
try:
om = self._get_member(request, organization, member_id)
except OrganizationMember.DoesNotExist:
raise ResourceDoesNotExist
serializer = OrganizationMemberSerializer(data=request.data,
partial=True)
if not serializer.is_valid():
return Response(status=400)
try:
auth_provider = AuthProvider.objects.get(organization=organization)
auth_provider = auth_provider.get_provider()
except AuthProvider.DoesNotExist:
auth_provider = None
allowed_roles = None
result = serializer.validated_data
# XXX(dcramer): if/when this expands beyond reinvite we need to check
# access level
if result.get("reinvite"):
if om.is_pending:
if ratelimits.for_organization_member_invite(
organization=organization,
email=om.email,
user=request.user,
auth=request.auth,
):
metrics.incr(
"member-invite.attempt",
instance="rate_limited",
skip_internal=True,
sample_rate=1.0,
)
return Response({"detail": ERR_RATE_LIMITED}, status=429)
if result.get("regenerate"):
if request.access.has_scope("member:admin"):
om.regenerate_token()
om.save()
else:
return Response({"detail": ERR_INSUFFICIENT_SCOPE},
status=400)
if om.token_expired:
return Response({"detail": ERR_EXPIRED}, status=400)
om.send_invite_email()
elif auth_provider and not getattr(om.flags, "sso:linked"):
om.send_sso_link_email(request.user, auth_provider)
else:
# TODO(dcramer): proper error message
return Response({"detail": ERR_UNINVITABLE}, status=400)
if "teams" in result:
# dupe code from member_index
# ensure listed teams are real teams
teams = list(
Team.objects.filter(organization=organization,
status=TeamStatus.VISIBLE,
slug__in=result["teams"]))
if len(set(result["teams"])) != len(teams):
return Response({"teams": "Invalid team"}, status=400)
with transaction.atomic():
# teams may be empty
OrganizationMemberTeam.objects.filter(
organizationmember=om).delete()
OrganizationMemberTeam.objects.bulk_create([
OrganizationMemberTeam(team=team, organizationmember=om)
for team in teams
])
if result.get("role"):
_, allowed_roles = get_allowed_roles(request, organization)
allowed_role_ids = {r.id for r in allowed_roles}
# A user cannot promote others above themselves
if result["role"] not in allowed_role_ids:
return Response(
{
"role":
"You do not have permission to assign the given role."
},
status=403)
# A user cannot demote a superior
if om.role not in allowed_role_ids:
return Response(
{
"role":
"You do not have permission to assign a role to the given user."
},
status=403,
)
if om.user == request.user and (result["role"] != om.role):
return Response(
{"detail": "You cannot make changes to your own role."},
status=400)
om.update(role=result["role"])
self.create_audit_entry(
request=request,
organization=organization,
target_object=om.id,
target_user=om.user,
event=AuditLogEntryEvent.MEMBER_EDIT,
data=om.get_audit_log_data(),
)
context = self._serialize_member(om, request, allowed_roles)
return Response(context)
def post(self, request, organization, member_id, team_slug):
"""
Join a team
Join or request access to a team.
If the user is already a member of the team, this will simply return
a 204.
If the user needs permission to join the team, an access request will
be generated and the returned status code will be 202.
"""
try:
om = self._get_member(request, organization, member_id)
except OrganizationMember.DoesNotExist:
raise ResourceDoesNotExist
if not self._can_access(request, om):
return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400)
try:
team = Team.objects.get(
organization=organization,
slug=team_slug,
)
except Team.DoesNotExist:
raise ResourceDoesNotExist
if not om.has_global_access:
try:
omt = OrganizationMemberTeam.objects.get(
team=team,
organizationmember=om,
)
except OrganizationMemberTeam.DoesNotExist:
# TODO(dcramer): this should create a pending request and
# return a 202
if not organization.flags.allow_joinleave:
omt, created = OrganizationAccessRequest.objects.get_or_create(
team=team,
member=om,
)
if created:
omt.send_request_email()
return Response(status=202)
omt = OrganizationMemberTeam(
team=team,
organizationmember=om,
is_active=False,
)
if omt.is_active:
return Response(status=204)
else:
try:
omt = OrganizationMemberTeam.objects.get(
team=team,
organizationmember=om,
)
except OrganizationMemberTeam.DoesNotExist:
# if the relationship doesnt exist, they're already a member
return Response(status=204)
omt.is_active = True
omt.save()
self.create_audit_entry(
request=request,
organization=organization,
target_object=omt.id,
target_user=om.user,
event=AuditLogEntryEvent.MEMBER_JOIN_TEAM,
data=omt.get_audit_log_data(),
)
return Response(serialize(
team, request.user, TeamWithProjectsSerializer()), status=201)
def delete(self, request, organization, member_id, team_slug):
"""
Leave a team
Leave a team.
"""
try:
om = self._get_member(request, organization, member_id)
except OrganizationMember.DoesNotExist:
raise ResourceDoesNotExist
if not self._can_access(request, om):
return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400)
try:
team = Team.objects.get(
organization=organization,
slug=team_slug,
)
except Team.DoesNotExist:
raise ResourceDoesNotExist
if not om.has_global_access:
try:
omt = OrganizationMemberTeam.objects.get(
team=team,
organizationmember=om,
)
except OrganizationMemberTeam.DoesNotExist:
# if the relationship doesnt exist, they're already a member
return Response(serialize(
team, request.user, TeamWithProjectsSerializer()), status=200)
else:
try:
omt = OrganizationMemberTeam.objects.get(
team=team,
organizationmember=om,
is_active=True,
)
except OrganizationMemberTeam.DoesNotExist:
omt = OrganizationMemberTeam(
team=team,
organizationmember=om,
is_active=True,
)
if omt.is_active:
omt.is_active = False
omt.save()
self.create_audit_entry(
request=request,
organization=organization,
target_object=omt.id,
target_user=om.user,
event=AuditLogEntryEvent.MEMBER_LEAVE_TEAM,
data=omt.get_audit_log_data(),
)
return Response(serialize(
team, request.user, TeamWithProjectsSerializer()), status=200)
def put(self, request, organization, member_id):
try:
om = self._get_member(request, organization, member_id)
except OrganizationMember.DoesNotExist:
raise ResourceDoesNotExist
serializer = OrganizationMemberSerializer(data=request.DATA,
partial=True)
if not serializer.is_valid():
return Response(status=400)
try:
auth_provider = AuthProvider.objects.get(organization=organization)
auth_provider = auth_provider.get_provider()
except AuthProvider.DoesNotExist:
auth_provider = None
allowed_roles = None
result = serializer.object
# XXX(dcramer): if/when this expands beyond reinvite we need to check
# access level
if result.get('reinvite'):
if om.is_pending:
if result.get('regenerate'):
if request.access.has_scope('member:admin'):
om.update(token=om.generate_token())
else:
return Response({'detail': ERR_INSUFFICIENT_SCOPE},
status=400)
om.send_invite_email()
elif auth_provider and not getattr(om.flags, 'sso:linked'):
om.send_sso_link_email(request.user, auth_provider)
else:
# TODO(dcramer): proper error message
return Response({'detail': ERR_UNINVITABLE}, status=400)
if auth_provider:
sso_enabled.send(organization=organization, sender=request.user)
if result.get('teams'):
# dupe code from member_index
# ensure listed teams are real teams
teams = list(
Team.objects.filter(
organization=organization,
status=TeamStatus.VISIBLE,
slug__in=result['teams'],
))
if len(set(result['teams'])) != len(teams):
return Response({'teams': 'Invalid team'}, status=400)
with transaction.atomic():
# teams may be empty
OrganizationMemberTeam.objects.filter(
organizationmember=om).delete()
OrganizationMemberTeam.objects.bulk_create([
OrganizationMemberTeam(team=team, organizationmember=om)
for team in teams
])
if result.get('role'):
_, allowed_roles = get_allowed_roles(request, organization)
if not result['role'] in {r.id for r in allowed_roles}:
return Response(
{
'role':
'You do not have permission to invite that role.'
},
status=403)
om.update(role=result['role'])
context = self._serialize_member(om, request, allowed_roles)
return Response(context)
def put(self, request, organization, member_id):
try:
om = self._get_member(request, organization, member_id)
except OrganizationMember.DoesNotExist:
raise ResourceDoesNotExist
serializer = OrganizationMemberSerializer(
data=request.DATA, partial=True)
if not serializer.is_valid():
return Response(status=400)
try:
auth_provider = AuthProvider.objects.get(organization=organization)
auth_provider = auth_provider.get_provider()
except AuthProvider.DoesNotExist:
auth_provider = None
allowed_roles = None
result = serializer.object
# XXX(dcramer): if/when this expands beyond reinvite we need to check
# access level
if result.get('reinvite'):
if om.is_pending:
if result.get('regenerate'):
if request.access.has_scope('member:admin'):
om.update(token=om.generate_token())
else:
return Response({'detail': ERR_INSUFFICIENT_SCOPE}, status=400)
om.send_invite_email()
elif auth_provider and not getattr(om.flags, 'sso:linked'):
om.send_sso_link_email(request.user, auth_provider)
else:
# TODO(dcramer): proper error message
return Response({'detail': ERR_UNINVITABLE}, status=400)
if result.get('teams'):
# dupe code from member_index
# ensure listed teams are real teams
teams = list(Team.objects.filter(
organization=organization,
status=TeamStatus.VISIBLE,
slug__in=result['teams'],
))
if len(set(result['teams'])) != len(teams):
return Response({'teams': 'Invalid team'}, status=400)
with transaction.atomic():
# teams may be empty
OrganizationMemberTeam.objects.filter(
organizationmember=om).delete()
OrganizationMemberTeam.objects.bulk_create(
[
OrganizationMemberTeam(
team=team, organizationmember=om)
for team in teams
]
)
if result.get('role'):
_, allowed_roles = get_allowed_roles(request, organization)
allowed_role_ids = {r.id for r in allowed_roles}
# A user cannot promote others above themselves
if result['role'] not in allowed_role_ids:
return Response(
{'role': 'You do not have permission to assign the given role.'}, status=403)
# A user cannot demote a superior
if om.role not in allowed_role_ids:
return Response(
{'role': 'You do not have permission to assign a role to the given user.'}, status=403)
if om.user == request.user and (result['role'] != om.role):
return Response(
{'detail': 'You cannot make changes to your own role.'}, status=400)
om.update(role=result['role'])
self.create_audit_entry(
request=request,
organization=organization,
target_object=om.id,
target_user=om.user,
event=AuditLogEntryEvent.MEMBER_EDIT,
data=om.get_audit_log_data(),
)
context = self._serialize_member(om, request, allowed_roles)
return Response(context)
def post(self, request, organization, member_id, team_slug):
"""
Join a team
Join or request access to a team.
If the user is already a member of the team, this will simply return
a 204.
If the user needs permission to join the team, an access request will
be generated and the returned status code will be 202.
"""
try:
om = OrganizationMember.objects.filter(
organization=organization,
id=member_id,
).select_related('user').get()
except OrganizationMember.DoesNotExist:
raise ResourceDoesNotExist
if not self._can_access(request, om):
return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400)
try:
team = Team.objects.get(
organization=organization,
slug=team_slug,
)
except Team.DoesNotExist:
raise ResourceDoesNotExist
if not om.has_global_access:
try:
omt = OrganizationMemberTeam.objects.get(
team=team,
organizationmember=om,
)
except OrganizationMemberTeam.DoesNotExist:
# TODO(dcramer): this should create a pending request and
# return a 202
if not organization.flags.allow_joinleave:
omt, created = OrganizationAccessRequest.objects.get_or_create(
team=team,
member=om,
)
if created:
omt.send_request_email()
return Response(status=202)
omt = OrganizationMemberTeam(
team=team,
organizationmember=om,
is_active=False,
)
if omt.is_active:
return Response(status=204)
else:
try:
omt = OrganizationMemberTeam.objects.get(
team=team,
organizationmember=om,
)
except OrganizationMemberTeam.DoesNotExist:
# if the relationship doesnt exist, they're already a member
return Response(status=204)
omt.is_active = True
omt.save()
AuditLogEntry.objects.create(
organization=organization,
actor=request.user,
ip_address=request.META['REMOTE_ADDR'],
target_object=omt.id,
target_user=request.user,
event=AuditLogEntryEvent.MEMBER_JOIN_TEAM,
data=omt.get_audit_log_data(),
)
return Response(serialize(team), status=201)
def delete(self, request, organization, member_id, team_slug):
"""
Leave a team
Leave a team.
"""
try:
om = OrganizationMember.objects.filter(
organization=organization,
id=member_id,
).select_related('user').get()
except OrganizationMember.DoesNotExist:
raise ResourceDoesNotExist
if not self._can_access(request, om):
return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400)
try:
team = Team.objects.get(
organization=organization,
slug=team_slug,
)
except Team.DoesNotExist:
raise ResourceDoesNotExist
if not om.has_global_access:
try:
omt = OrganizationMemberTeam.objects.get(
team=team,
organizationmember=om,
)
except OrganizationMemberTeam.DoesNotExist:
# if the relationship doesnt exist, they're already a member
return Response(status=204)
else:
try:
omt = OrganizationMemberTeam.objects.get(
team=team,
organizationmember=om,
is_active=True,
)
except OrganizationMemberTeam.DoesNotExist:
omt = OrganizationMemberTeam(
team=team,
organizationmember=om,
is_active=True,
)
if omt.is_active:
omt.is_active = False
omt.save()
AuditLogEntry.objects.create(
organization=organization,
actor=request.user,
ip_address=request.META['REMOTE_ADDR'],
target_object=omt.id,
target_user=request.user,
event=AuditLogEntryEvent.MEMBER_LEAVE_TEAM,
data=omt.get_audit_log_data(),
)
return Response(status=204)
def delete(self, request, organization, member_id, team_slug):
"""
Leave a team
Leave a team.
"""
try:
om = self._get_member(request, organization, member_id)
except OrganizationMember.DoesNotExist:
raise ResourceDoesNotExist
if not self._can_access(request, om):
return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400)
try:
team = Team.objects.get(
organization=organization,
slug=team_slug,
)
except Team.DoesNotExist:
raise ResourceDoesNotExist
if not om.has_global_access:
try:
omt = OrganizationMemberTeam.objects.get(
team=team,
organizationmember=om,
)
except OrganizationMemberTeam.DoesNotExist:
# if the relationship doesnt exist, they're already a member
return Response(serialize(team, request.user,
TeamWithProjectsSerializer()),
status=200)
else:
try:
omt = OrganizationMemberTeam.objects.get(
team=team,
organizationmember=om,
is_active=True,
)
except OrganizationMemberTeam.DoesNotExist:
omt = OrganizationMemberTeam(
team=team,
organizationmember=om,
is_active=True,
)
if omt.is_active:
omt.is_active = False
omt.save()
self.create_audit_entry(
request=request,
organization=organization,
target_object=omt.id,
target_user=om.user,
event=AuditLogEntryEvent.MEMBER_LEAVE_TEAM,
data=omt.get_audit_log_data(),
)
return Response(serialize(team, request.user,
TeamWithProjectsSerializer()),
status=200)
def delete(self, request, organization, member_id, team_slug):
"""
Leave a team
Leave a team.
"""
try:
om = OrganizationMember.objects.filter(
organization=organization,
id=member_id,
).select_related('user').get()
except OrganizationMember.DoesNotExist:
raise ResourceDoesNotExist
if not self._can_access(request, om):
return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400)
try:
team = Team.objects.get(
organization=organization,
slug=team_slug,
)
except Team.DoesNotExist:
raise ResourceDoesNotExist
if not om.has_global_access:
try:
omt = OrganizationMemberTeam.objects.get(
team=team,
organizationmember=om,
)
except OrganizationMemberTeam.DoesNotExist:
# if the relationship doesnt exist, they're already a member
return Response(status=204)
else:
try:
omt = OrganizationMemberTeam.objects.get(
team=team,
organizationmember=om,
is_active=True,
)
except OrganizationMemberTeam.DoesNotExist:
omt = OrganizationMemberTeam(
team=team,
organizationmember=om,
is_active=True,
)
if omt.is_active:
omt.is_active = False
omt.save()
AuditLogEntry.objects.create(
organization=organization,
actor=request.user,
ip_address=request.META['REMOTE_ADDR'],
target_object=omt.id,
target_user=request.user,
event=AuditLogEntryEvent.MEMBER_LEAVE_TEAM,
data=omt.get_audit_log_data(),
)
return Response(status=204)
