def associate_account_by_email(backend, details, user, *args, **kwargs):
"""
This pipeline step associates the current social auth with the user which has the
same email address in the database. It defers from social library's associate_by_email
implementation, which verifies that only a single database user is associated with the email.
"""
return associate_by_email(backend, details, user, *args, **kwargs)
def associate_by_email_if_login_api(auth_entry,
backend,
details,
user,
current_partial=None,
*args,
**kwargs):
"""
This pipeline step associates the current social auth with the user with the
same email address in the database. It defers to the social library's associate_by_email
implementation, which verifies that only a single database user is associated with the email.
This association is done ONLY if the user entered the pipeline through a LOGIN API.
"""
custom_auth_entry = AUTH_ENTRY_CUSTOM.get(auth_entry)
if auth_entry == AUTH_ENTRY_LOGIN_API or (
custom_auth_entry and custom_auth_entry.get('link_by_email')):
association_response = associate_by_email(backend, details, user,
*args, **kwargs)
if (association_response and association_response.get('user')
and association_response['user'].is_active):
# Only return the user matched by email if their email has been activated.
# Otherwise, an illegitimate user can create an account with another user's
# email address and the legitimate user would now login to the illegitimate
# account.
return association_response
def associate_by_email_if_login_api(auth_entry,
backend,
details,
user,
current_partial=None,
*args,
**kwargs): # lint-amnesty, pylint: disable=keyword-arg-before-vararg
"""
This pipeline step associates the current social auth with the user with the
same email address in the database. It defers to the social library's associate_by_email
implementation, which verifies that only a single database user is associated with the email.
This association is done ONLY if the user entered the pipeline through a LOGIN API.
"""
if auth_entry == AUTH_ENTRY_LOGIN_API:
# Temporary custom attribute to help ensure there is no usage.
set_custom_attribute('deprecated_auth_entry_login_api', True)
association_response = associate_by_email(backend, details, user,
*args, **kwargs)
if (association_response and association_response.get('user')
and association_response['user'].is_active):
# Only return the user matched by email if their email has been activated.
# Otherwise, an illegitimate user can create an account with another user's
# email address and the legitimate user would now login to the illegitimate
# account.
return association_response
def associate_forus_account_by_email(backend, details, user, backend_name,
*args, **kwargs):
"""
This pipeline step associates the current social auth with the user with the
same email address in the database. It defers to the social library's associate_by_email
implementation, which verifies that only a single database user is associated with the email.
"""
if backend_name == FORUS_BACKEND_NAME:
return associate_by_email(backend, details, user, *args, **kwargs)
def associate_forus_account_by_email(backend, details, user,
backend_name, *args, **kwargs):
"""
This pipeline step associates the current social auth with the user with the
same email address in the database. It defers to the social library's associate_by_email
implementation, which verifies that only a single database user is associated with the email.
"""
if backend_name == FORUS_BACKEND_NAME:
return associate_by_email(backend, details, user, *args, **kwargs)
def associate_by_email_if_enterprise_user():
"""
If the learner arriving via SAML is already linked to the enterprise customer linked to the same IdP,
they should not be prompted for their edX password.
"""
try:
enterprise_customer_user = is_enterprise_customer_user(current_provider.provider_id, current_user)
logger.info(
u'[Multiple_SSO_SAML_Accounts_Association_to_User] Enterprise user verification:'
u'User Email: {email}, User ID: {user_id}, Provider ID: {provider_id},'
u' is_enterprise_customer_user: {enterprise_customer_user}'.format(
email=current_user.email,
user_id=current_user.id,
provider_id=current_provider.provider_id,
enterprise_customer_user=enterprise_customer_user,
)
)
if enterprise_customer_user:
# this is python social auth pipeline default method to automatically associate social accounts
# if the email already matches a user account.
association_response = associate_by_email(backend, details, user, *args, **kwargs)
if (
association_response and
association_response.get('user') and
association_response['user'].is_active
):
# Only return the user matched by email if their email has been activated.
# Otherwise, an illegitimate user can create an account with another user's
# email address and the legitimate user would now login to the illegitimate
# account.
return association_response
elif (
association_response and
association_response.get('user') and
not association_response['user'].is_active
):
logger.info(
u'[Multiple_SSO_SAML_Accounts_Association_to_User] User association account is not'
u' active: User Email: {email}, User ID: {user_id}, Provider ID: {provider_id},'
u' is_enterprise_customer_user: {enterprise_customer_user}'.format(
email=current_user.email,
user_id=current_user.id,
provider_id=current_provider.provider_id,
enterprise_customer_user=enterprise_customer_user
)
)
return None
except Exception as ex: # pylint: disable=broad-except
logger.exception('[Multiple_SSO_SAML_Accounts_Association_to_User] Error in'
' saml multiple accounts association: User ID: %s, User Email: %s:,'
'Provider ID: %s, Exception: %s', current_user.id, current_user.email,
current_provider.provider_id, ex)
def associate_email_or_redirect(backend, details, user=None, *args, **kwargs):
"""extension of the associate_email step in the pipeline to add redirect if user not found"""
if user:
return None
else:
associated_user = associate_by_email(backend, details, user, *args,
**kwargs)
if associated_user is not None:
return associated_user
else:
return HttpResponseRedirect(reverse("invalid_user"))
def selectively_associate_by_email(backend, details, user=None, *args, **kwargs):
"""
Associate current auth with a user with the same email address in the DB.
This pipeline entry is not 100% secure unless you know that the providers
enabled enforce email verification on their side, otherwise a user can
attempt to take over another user account by using the same (not validated)
email address on some provider.
Not using Facebook or Twitter to authenticate a user.
"""
if backend.name in ('twitter', 'facebook'):
return None
return associate_by_email(backend, details, user=None, *args, **kwargs)
def get_associated_user_by_email_response(backend, details, user, *args,
**kwargs):
"""
Gets the user associated by the `associate_by_email` social auth method
"""
association_response = associate_by_email(backend, details, user, *args,
**kwargs)
if (association_response and association_response.get('user')):
# Only return the user matched by email if their email has been activated.
# Otherwise, an illegitimate user can create an account with another user's
# email address and the legitimate user would now login to the illegitimate
# account.
return (association_response, association_response['user'].is_active)
return (None, False)
def associate_by_email_if_login_api(auth_entry, backend, details, user, current_partial=None, *args, **kwargs):
"""
This pipeline step associates the current social auth with the user with the
same email address in the database. It defers to the social library's associate_by_email
implementation, which verifies that only a single database user is associated with the email.
This association is done ONLY if the user entered the pipeline through a LOGIN API.
"""
if auth_entry == AUTH_ENTRY_LOGIN_API:
association_response = associate_by_email(backend, details, user, *args, **kwargs)
if (
association_response and
association_response.get('user') and
association_response['user'].is_active
):
# Only return the user matched by email if their email has been activated.
# Otherwise, an illegitimate user can create an account with another user's
# email address and the legitimate user would now login to the illegitimate
# account.
return association_response
