def _auth_radius(username, password): valid, org_id = sso.verify_radius(username, password) if not valid: return utils.jsonify({"error": AUTH_INVALID, "error_msg": AUTH_INVALID_MSG}, 401) if not org_id: org_id = settings.app.sso_org org = organization.get_by_id(org_id) if not org: return flask.abort(405) usr = org.find_user(name=username) if not usr: usr = org.new_user(name=username, type=CERT_CLIENT, auth_type=RADIUS_AUTH) usr.audit_event("user_created", "User created with single sign-on", remote_addr=utils.get_remote_addr()) event.Event(type=ORGS_UPDATED) event.Event(type=USERS_UPDATED, resource_id=org.id) event.Event(type=SERVERS_UPDATED) else: if usr.disabled: return utils.jsonify({"error": AUTH_DISABLED, "error_msg": AUTH_DISABLED_MSG}, 403) if usr.auth_type != RADIUS_AUTH: usr.auth_type = RADIUS_AUTH usr.set_pin(None) usr.commit(("auth_type", "pin")) key_link = org.create_user_key_link(usr.id, one_time=True) usr.audit_event("user_profile", "User profile viewed from single sign-on", remote_addr=utils.get_remote_addr()) return utils.jsonify({"redirect": flask.request.url_root[:-1] + key_link["view_url"]}, 202)
def sso_auth_check(self, password): if GOOGLE_AUTH in self.auth_type: try: resp = utils.request.get(AUTH_SERVER + '/update/google?user=%s&license=%s' % ( self.email, settings.app.license)) if resp.status_code == 200: return True except: logger.exception('Google auth check error', 'user', user_id=self.id, ) return False elif SAML_ONELOGIN_AUTH in self.auth_type: try: return sso.auth_onelogin(self.name) except: logger.exception('OneLogin auth check error', 'user', user_id=self.id, ) return False elif RADIUS_AUTH in self.auth_type: try: return sso.verify_radius(self.name, password)[0] except: logger.exception('Radius auth check error', 'user', user_id=self.id, ) return False return True
def sso_auth_check(self, password): if GOOGLE_AUTH in self.auth_type: try: resp = requests.get(AUTH_SERVER + '/update/google?user=%s&license=%s' % ( urllib.quote(self.email), settings.app.license, )) if resp.status_code == 200: return True except: logger.exception('Google auth check error', 'user', user_id=self.id, ) return False elif SLACK_AUTH in self.auth_type: try: resp = requests.get(AUTH_SERVER + '/update/slack?user=%s&team=%s&license=%s' % ( urllib.quote(self.name), urllib.quote(settings.app.sso_match[0]), settings.app.license, )) if resp.status_code == 200: return True except: logger.exception('Slack auth check error', 'user', user_id=self.id, ) return False elif SAML_ONELOGIN_AUTH in self.auth_type: try: return sso.auth_onelogin(self.name) except: logger.exception('OneLogin auth check error', 'user', user_id=self.id, ) return False elif SAML_OKTA_AUTH in self.auth_type: try: return sso.auth_okta(self.name) except: logger.exception('Okta auth check error', 'user', user_id=self.id, ) return False elif RADIUS_AUTH in self.auth_type: try: return sso.verify_radius(self.name, password)[0] except: logger.exception('Radius auth check error', 'user', user_id=self.id, ) return False return True
def _auth_radius(username, password): valid, org_id = sso.verify_radius(username, password) if not valid: return utils.jsonify( { 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) if not org_id: org_id = settings.app.sso_org org = organization.get_by_id(org_id) if not org: return flask.abort(405) usr = org.find_user(name=username) if not usr: usr = org.new_user(name=username, type=CERT_CLIENT, auth_type=RADIUS_AUTH) usr.audit_event( 'user_created', 'User created with single sign-on', remote_addr=utils.get_remote_addr(), ) event.Event(type=ORGS_UPDATED) event.Event(type=USERS_UPDATED, resource_id=org.id) event.Event(type=SERVERS_UPDATED) else: if usr.disabled: return utils.jsonify( { 'error': AUTH_DISABLED, 'error_msg': AUTH_DISABLED_MSG, }, 403) if usr.auth_type != RADIUS_AUTH: usr.auth_type = RADIUS_AUTH usr.set_pin(None) usr.commit(('auth_type', 'pin')) key_link = org.create_user_key_link(usr.id, one_time=True) usr.audit_event( 'user_profile', 'User profile viewed from single sign-on', remote_addr=utils.get_remote_addr(), ) return utils.jsonify( { 'redirect': flask.request.url_root[:-1] + key_link['view_url'], }, 202)
def sso_auth_check(self, password, remote_ip): sso_mode = settings.app.sso or '' auth_server = AUTH_SERVER if settings.app.dedicated: auth_server = settings.app.dedicated if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: resp = requests.get(auth_server + '/update/google?user=%s&license=%s' % ( urllib.quote(self.email), settings.app.license, )) if resp.status_code != 200: logger.error( 'Google auth check request error', 'user', user_id=self.id, user_name=self.name, status_code=resp.status_code, content=resp.content, ) return False valid, google_groups = sso.verify_google(self.email) if not valid: logger.error( 'Google auth check failed', 'user', user_id=self.id, user_name=self.name, ) return False if settings.app.sso_google_mode == 'groups': cur_groups = set(self.groups) new_groups = set(google_groups) if cur_groups != new_groups: self.groups = list(new_groups) self.commit('groups') return True except: logger.exception( 'Google auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif AZURE_AUTH in self.auth_type and AZURE_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: resp = requests.get( auth_server + ('/update/azure?user=%s&license=%s&' + 'directory_id=%s&app_id=%s&app_secret=%s') % ( urllib.quote(self.name), settings.app.license, urllib.quote(settings.app.sso_azure_directory_id), urllib.quote(settings.app.sso_azure_app_id), urllib.quote(settings.app.sso_azure_app_secret), )) if resp.status_code != 200: logger.error( 'Azure auth check request error', 'user', user_id=self.id, user_name=self.name, status_code=resp.status_code, content=resp.content, ) return False valid, azure_groups = sso.verify_azure(self.name) if not valid: logger.error( 'Azure auth check failed', 'user', user_id=self.id, user_name=self.name, ) return False if settings.app.sso_azure_mode == 'groups': cur_groups = set(self.groups) new_groups = set(azure_groups) if cur_groups != new_groups: self.groups = list(new_groups) self.commit('groups') return True except: logger.exception( 'Azure auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True if not isinstance(settings.app.sso_match, list): raise TypeError('Invalid sso match') try: resp = requests.get( auth_server + '/update/slack?user=%s&team=%s&license=%s' % ( urllib.quote(self.name), urllib.quote(settings.app.sso_match[0]), settings.app.license, )) if resp.status_code != 200: logger.error( 'Slack auth check request error', 'user', user_id=self.id, user_name=self.name, status_code=resp.status_code, content=resp.content, ) return False return True except: logger.exception( 'Slack auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif SAML_ONELOGIN_AUTH in self.auth_type and \ SAML_ONELOGIN_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_onelogin(self.name) except: logger.exception( 'OneLogin auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif SAML_OKTA_AUTH in self.auth_type and \ SAML_OKTA_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_okta(self.name) except: logger.exception( 'Okta auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode: try: return sso.verify_radius(self.name, password)[0] except: logger.exception( 'Radius auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif PLUGIN_AUTH in self.auth_type: try: return sso.plugin_login_authenticate( user_name=self.name, password=password, remote_ip=remote_ip, )[0] except: logger.exception( 'Plugin auth check error', 'user', user_id=self.id, user_name=self.name, ) return False return True
def _auth_radius(username, password): sso_mode = settings.app.sso valid, org_names, groups = sso.verify_radius(username, password) if not valid: return utils.jsonify({ 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) org_id = settings.app.sso_org if org_names: for org_name in org_names: org = organization.get_by_name(org_name, fields=('_id')) if org: org_id = org.id break valid, org_id_new, groups2 = sso.plugin_sso_authenticate( sso_type='radius', user_name=username, user_email=None, remote_ip=utils.get_remote_addr(), ) if valid: org_id = org_id_new or org_id else: logger.error('Radius plugin authentication not valid', 'sso', username=username, ) return utils.jsonify({ 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) groups = ((groups or set()) | (groups2 or set())) or None if DUO_AUTH in sso_mode: try: duo_auth = sso.Duo( username=username, factor=settings.app.sso_duo_mode, remote_ip=utils.get_remote_addr(), auth_type='Key', ) valid = duo_auth.authenticate() except InvalidUser: logger.error('Duo authentication username not valid', 'sso', username=username, ) return utils.jsonify({ 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) if valid: valid, org_id_new, groups2 = sso.plugin_sso_authenticate( sso_type='duo', user_name=username, user_email=None, remote_ip=utils.get_remote_addr(), ) if valid: org_id = org_id_new or org_id else: logger.error('Duo plugin authentication not valid', 'sso', username=username, ) return utils.jsonify({ 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) groups = ((groups or set()) | (groups2 or set())) or None else: logger.error('Duo authentication not valid', 'sso', username=username, ) return utils.jsonify({ 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) groups = ((groups or set()) | (groups2 or set())) or None org = organization.get_by_id(org_id) if not org: return flask.abort(405) usr = org.find_user(name=username) if not usr: usr = org.new_user(name=username, type=CERT_CLIENT, auth_type=sso_mode, groups=list(groups) if groups else None) usr.audit_event( 'user_created', 'User created with single sign-on', remote_addr=utils.get_remote_addr(), ) event.Event(type=ORGS_UPDATED) event.Event(type=USERS_UPDATED, resource_id=org.id) event.Event(type=SERVERS_UPDATED) else: if usr.disabled: return utils.jsonify({ 'error': AUTH_DISABLED, 'error_msg': AUTH_DISABLED_MSG, }, 403) if groups and groups - set(usr.groups or []): usr.groups = list(set(usr.groups or []) | groups) usr.commit('groups') if usr.auth_type != sso_mode: usr.auth_type = sso_mode usr.set_pin(None) usr.commit(('auth_type', 'pin')) key_link = org.create_user_key_link(usr.id, one_time=True) usr.audit_event('user_profile', 'User profile viewed from single sign-on', remote_addr=utils.get_remote_addr(), ) return utils.jsonify({ 'redirect': utils.get_url_root() + key_link['view_url'], }, 202)
def _auth_radius(username, password, remote_addr): sso_mode = settings.app.sso valid, org_names, groups = sso.verify_radius(username, password) if not valid: journal.entry( journal.SSO_AUTH_FAILURE, user_name=username, remote_address=remote_addr, reason=journal.SSO_AUTH_REASON_RADIUS_FAILED, reason_long='Radius authentication failed', ) return utils.jsonify( { 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) org_id = settings.app.sso_org if org_names: not_found = False for org_name in org_names: org = organization.get_by_name(org_name, fields=('_id')) if org: not_found = False org_id = org.id break else: not_found = True if not_found: logger.warning( 'Supplied org names do not exist', 'sso', sso_type='radius', user_name=username, org_names=org_names, ) valid, org_id_new, groups2 = sso.plugin_sso_authenticate( sso_type='radius', user_name=username, user_email=None, remote_ip=utils.get_remote_addr(), ) if valid: org_id = org_id_new or org_id else: journal.entry( journal.SSO_AUTH_FAILURE, user_name=username, remote_address=remote_addr, reason=journal.SSO_AUTH_REASON_PLUGIN_FAILED, reason_long='Radius plugin authentication failed', ) logger.error( 'Radius plugin authentication not valid', 'sso', username=username, ) return utils.jsonify( { 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) groups = ((groups or set()) | (groups2 or set())) or None if DUO_AUTH in sso_mode: try: duo_auth = sso.Duo( username=username, factor=settings.app.sso_duo_mode, remote_ip=utils.get_remote_addr(), auth_type='Key', ) valid = duo_auth.authenticate() except InvalidUser: logger.error( 'Duo authentication username not valid', 'sso', username=username, ) journal.entry( journal.SSO_AUTH_FAILURE, user_name=username, remote_address=remote_addr, reason=journal.SSO_AUTH_REASON_DUO_FAILED, reason_long='Duo authentication invalid username', ) return utils.jsonify( { 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) if valid: valid, org_id_new, groups2 = sso.plugin_sso_authenticate( sso_type='duo', user_name=username, user_email=None, remote_ip=utils.get_remote_addr(), ) if valid: org_id = org_id_new or org_id else: journal.entry( journal.SSO_AUTH_FAILURE, user_name=username, remote_address=remote_addr, reason=journal.SSO_AUTH_REASON_PLUGIN_FAILED, reason_long='Duo plugin authentication failed', ) logger.error( 'Duo plugin authentication not valid', 'sso', username=username, ) return utils.jsonify( { 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) groups = ((groups or set()) | (groups2 or set())) or None else: logger.error( 'Duo authentication not valid', 'sso', username=username, ) journal.entry( journal.SSO_AUTH_FAILURE, user_name=username, remote_address=remote_addr, reason=journal.SSO_AUTH_REASON_DUO_FAILED, reason_long='Duo authentication failed', ) return utils.jsonify( { 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) groups = ((groups or set()) | (groups2 or set())) or None org = organization.get_by_id(org_id) if not org: logger.error( 'Organization for sso does not exist', 'auth', org_id=org_id, ) return flask.abort(405) usr = org.find_user(name=username) if not usr: usr = org.new_user(name=username, type=CERT_CLIENT, auth_type=sso_mode, groups=list(groups) if groups else None) usr.audit_event( 'user_created', 'User created with single sign-on', remote_addr=remote_addr, ) journal.entry( journal.USER_CREATE, usr.journal_data, event_long='User created with single sign-on', remote_address=remote_addr, ) event.Event(type=ORGS_UPDATED) event.Event(type=USERS_UPDATED, resource_id=org.id) event.Event(type=SERVERS_UPDATED) else: if usr.disabled: return utils.jsonify( { 'error': AUTH_DISABLED, 'error_msg': AUTH_DISABLED_MSG, }, 403) if groups and groups - set(usr.groups or []): usr.groups = list(set(usr.groups or []) | groups) usr.commit('groups') if usr.auth_type != sso_mode: usr.auth_type = sso_mode usr.set_pin(None) usr.commit(('auth_type', 'pin')) key_link = org.create_user_key_link(usr.id, one_time=True) journal.entry( journal.SSO_AUTH_SUCCESS, usr.journal_data, key_id_hash=hashlib.md5(key_link['id'].encode()).hexdigest(), remote_address=remote_addr, ) usr.audit_event( 'user_profile', 'User profile viewed from single sign-on', remote_addr=utils.get_remote_addr(), ) journal.entry( journal.USER_PROFILE_SUCCESS, usr.journal_data, event_long='User profile viewed from single sign-on', remote_address=remote_addr, ) return utils.jsonify( { 'redirect': utils.get_url_root() + key_link['view_url'], }, 202)
def sso_auth_check(self, password, remote_ip): sso_mode = settings.app.sso or '' auth_server = AUTH_SERVER if settings.app.dedicated: auth_server = settings.app.dedicated if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: resp = requests.get(auth_server + '/update/google?user=%s&license=%s' % ( urllib.quote(self.email), settings.app.license, )) if resp.status_code == 200: return True except: logger.exception( 'Google auth check error', 'user', user_id=self.id, ) return False elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True if not isinstance(settings.app.sso_match, list): raise TypeError('Invalid sso match') try: resp = requests.get( auth_server + '/update/slack?user=%s&team=%s&license=%s' % ( urllib.quote(self.name), urllib.quote(settings.app.sso_match[0]), settings.app.license, )) if resp.status_code == 200: return True except: logger.exception( 'Slack auth check error', 'user', user_id=self.id, ) return False elif SAML_ONELOGIN_AUTH in self.auth_type and \ SAML_ONELOGIN_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_onelogin(self.name) except: logger.exception( 'OneLogin auth check error', 'user', user_id=self.id, ) return False elif SAML_OKTA_AUTH in self.auth_type and \ SAML_OKTA_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_okta(self.name) except: logger.exception( 'Okta auth check error', 'user', user_id=self.id, ) return False elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode: try: return sso.verify_radius(self.name, password)[0] except: logger.exception( 'Radius auth check error', 'user', user_id=self.id, ) return False elif PLUGIN_AUTH in self.auth_type: try: return sso.plugin_login_authenticate( user_name=self.name, password=password, remote_ip=remote_ip, )[0] except: logger.exception( 'Plugin auth check error', 'user', user_id=self.id, ) return False return True
def sso_auth_check(self, password, remote_ip): sso_mode = settings.app.sso or '' if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: resp = requests.get(AUTH_SERVER + '/update/google?user=%s&license=%s' % ( urllib.quote(self.email), settings.app.license, )) if resp.status_code == 200: return True except: logger.exception('Google auth check error', 'user', user_id=self.id, ) return False elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True if not isinstance(settings.app.sso_match, list): raise TypeError('Invalid sso match') try: resp = requests.get(AUTH_SERVER + '/update/slack?user=%s&team=%s&license=%s' % ( urllib.quote(self.name), urllib.quote(settings.app.sso_match[0]), settings.app.license, )) if resp.status_code == 200: return True except: logger.exception('Slack auth check error', 'user', user_id=self.id, ) return False elif SAML_ONELOGIN_AUTH in self.auth_type and \ SAML_ONELOGIN_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_onelogin(self.name) except: logger.exception('OneLogin auth check error', 'user', user_id=self.id, ) return False elif SAML_OKTA_AUTH in self.auth_type and \ SAML_OKTA_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_okta(self.name) except: logger.exception('Okta auth check error', 'user', user_id=self.id, ) return False elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode: try: return sso.verify_radius(self.name, password)[0] except: logger.exception('Radius auth check error', 'user', user_id=self.id, ) return False elif PLUGIN_AUTH in self.auth_type: try: return sso.plugin_login_authenticate( user_name=self.name, password=password, remote_ip=remote_ip, )[0] except: logger.exception('Plugin auth check error', 'user', user_id=self.id, ) return False return True
def sso_auth_check(self, password, remote_ip): sso_mode = settings.app.sso or '' auth_server = AUTH_SERVER if settings.app.dedicated: auth_server = settings.app.dedicated if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: resp = requests.get(auth_server + '/update/google?user=%s&license=%s' % ( urllib.quote(self.email), settings.app.license, )) if resp.status_code != 200: logger.error('Google auth check request error', 'user', user_id=self.id, user_name=self.name, status_code=resp.status_code, content=resp.content, ) return False valid, google_groups = sso.verify_google(self.email) if not valid: logger.error('Google auth check failed', 'user', user_id=self.id, user_name=self.name, ) return False if settings.app.sso_google_mode == 'groups': cur_groups = set(self.groups) new_groups = set(google_groups) if cur_groups != new_groups: self.groups = list(new_groups) self.commit('groups') return True except: logger.exception('Google auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif AZURE_AUTH in self.auth_type and AZURE_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: resp = requests.get(auth_server + ('/update/azure?user=%s&license=%s&' + 'directory_id=%s&app_id=%s&app_secret=%s') % ( urllib.quote(self.name), settings.app.license, urllib.quote(settings.app.sso_azure_directory_id), urllib.quote(settings.app.sso_azure_app_id), urllib.quote(settings.app.sso_azure_app_secret), )) if resp.status_code != 200: logger.error('Azure auth check request error', 'user', user_id=self.id, user_name=self.name, status_code=resp.status_code, content=resp.content, ) return False valid, azure_groups = sso.verify_azure(self.name) if not valid: logger.error('Azure auth check failed', 'user', user_id=self.id, user_name=self.name, ) return False if settings.app.sso_azure_mode == 'groups': cur_groups = set(self.groups) new_groups = set(azure_groups) if cur_groups != new_groups: self.groups = list(new_groups) self.commit('groups') return True except: logger.exception('Azure auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif AUTHZERO_AUTH in self.auth_type and AUTHZERO_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: resp = requests.get(auth_server + ('/update/authzero?user=%s&license=%s&' + 'app_domain=%s&app_id=%s&app_secret=%s') % ( urllib.quote(self.name), settings.app.license, urllib.quote(settings.app.sso_authzero_domain), urllib.quote(settings.app.sso_authzero_app_id), urllib.quote(settings.app.sso_authzero_app_secret), )) if resp.status_code != 200: logger.error('Auth0 auth check request error', 'user', user_id=self.id, user_name=self.name, status_code=resp.status_code, content=resp.content, ) return False valid, authzero_groups = sso.verify_authzero(self.name) if not valid: logger.error('Auth0 auth check failed', 'user', user_id=self.id, user_name=self.name, ) return False if settings.app.sso_authzero_mode == 'groups': cur_groups = set(self.groups) new_groups = set(authzero_groups) if cur_groups != new_groups: self.groups = list(new_groups) self.commit('groups') return True except: logger.exception('Auth0 auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True if not isinstance(settings.app.sso_match, list): raise TypeError('Invalid sso match') try: resp = requests.get(auth_server + '/update/slack?user=%s&team=%s&license=%s' % ( urllib.quote(self.name), urllib.quote(settings.app.sso_match[0]), settings.app.license, )) if resp.status_code != 200: logger.error('Slack auth check request error', 'user', user_id=self.id, user_name=self.name, status_code=resp.status_code, content=resp.content, ) return False return True except: logger.exception('Slack auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif SAML_ONELOGIN_AUTH in self.auth_type and \ SAML_ONELOGIN_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_onelogin(self.name) except: logger.exception('OneLogin auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif SAML_OKTA_AUTH in self.auth_type and \ SAML_OKTA_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_okta(self.name) except: logger.exception('Okta auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode: try: return sso.verify_radius(self.name, password)[0] except: logger.exception('Radius auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif PLUGIN_AUTH in self.auth_type: try: return sso.plugin_login_authenticate( user_name=self.name, password=password, remote_ip=remote_ip, )[1] except: logger.exception('Plugin auth check error', 'user', user_id=self.id, user_name=self.name, ) return False return True
def _auth_radius(username, password): valid, org_id = sso.verify_radius(username, password) if not valid: return utils.jsonify({ 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) if not org_id: org_id = settings.app.sso_org valid, org_id_new = sso.plugin_sso_authenticate( sso_type='radius', user_name=username, user_email=None, remote_ip=utils.get_remote_addr(), ) if valid: org_id = org_id_new or org_id else: logger.error('Radius plugin authentication not valid', 'sso', username=username, ) return utils.jsonify({ 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) org = organization.get_by_id(org_id) if not org: return flask.abort(405) usr = org.find_user(name=username) if not usr: usr = org.new_user(name=username, type=CERT_CLIENT, auth_type=RADIUS_AUTH) usr.audit_event( 'user_created', 'User created with single sign-on', remote_addr=utils.get_remote_addr(), ) event.Event(type=ORGS_UPDATED) event.Event(type=USERS_UPDATED, resource_id=org.id) event.Event(type=SERVERS_UPDATED) else: if usr.disabled: return utils.jsonify({ 'error': AUTH_DISABLED, 'error_msg': AUTH_DISABLED_MSG, }, 403) if usr.auth_type != RADIUS_AUTH: usr.auth_type = RADIUS_AUTH usr.set_pin(None) usr.commit(('auth_type', 'pin')) key_link = org.create_user_key_link(usr.id, one_time=True) usr.audit_event('user_profile', 'User profile viewed from single sign-on', remote_addr=utils.get_remote_addr(), ) return utils.jsonify({ 'redirect': utils.get_url_root() + key_link['view_url'], }, 202)
def sso_auth_check(self, password): if GOOGLE_AUTH in self.auth_type: try: resp = requests.get(AUTH_SERVER + '/update/google?user=%s&license=%s' % ( urllib.quote(self.email), settings.app.license, )) if resp.status_code == 200: return True except: logger.exception( 'Google auth check error', 'user', user_id=self.id, ) return False elif SLACK_AUTH in self.auth_type: try: resp = requests.get( AUTH_SERVER + '/update/slack?user=%s&team=%s&license=%s' % ( urllib.quote(self.name), urllib.quote(settings.app.sso_match[0]), settings.app.license, )) if resp.status_code == 200: return True except: logger.exception( 'Slack auth check error', 'user', user_id=self.id, ) return False elif SAML_ONELOGIN_AUTH in self.auth_type: try: return sso.auth_onelogin(self.name) except: logger.exception( 'OneLogin auth check error', 'user', user_id=self.id, ) return False elif SAML_OKTA_AUTH in self.auth_type: try: return sso.auth_okta(self.name) except: logger.exception( 'Okta auth check error', 'user', user_id=self.id, ) return False elif RADIUS_AUTH in self.auth_type: try: return sso.verify_radius(self.name, password)[0] except: logger.exception( 'Radius auth check error', 'user', user_id=self.id, ) return False return True