def clean(self): username = self.cleaned_data.get('login') password = self.cleaned_data.get('password') if username and password: if not is_valid_email(username): # convert login id to username if any username = Profile.objects.convert_login_str_to_username( username) self.user_cache = authenticate(username=username, password=password) if self.user_cache is None: """then try login id/contact email/primary id""" # convert contact email to username if any username = Profile.objects.convert_login_str_to_username( username) # convert username to primary id if any username = self.get_primary_id_by_username(username) self.user_cache = authenticate(username=username, password=password) if self.user_cache is None: err_msg = _( "Please enter a correct email/username and password. Note that both fields are case-sensitive." ) if settings.LOGIN_ERROR_DETAILS: try: u = User.objects.get(email=username) except User.DoesNotExist: err_msg = _( "That e-mail address doesn't have an associated user account. Are you sure you've registered?" ) self.errors['not_found'] = err_msg raise forms.ValidationError(err_msg) # user found for login string but inactive if not self.user_cache.is_active: if settings.ACTIVATE_AFTER_FIRST_LOGIN and \ not UserOptions.objects.is_user_logged_in(username): """Activate user on first login.""" self.user_cache.is_active = True self.user_cache.save() UserOptions.objects.set_user_logged_in(username) else: self.errors['inactive'] = _("This account is inactive.") raise forms.ValidationError(_("This account is inactive.")) # TODO: determine whether this should move to its own method. if self.request: if not self.request.session.test_cookie_worked(): raise forms.ValidationError( _("Your Web browser doesn't appear to have cookies enabled. Cookies are required for logging in." )) return self.cleaned_data
def process_request(self, request): if request.path not in self.trust_endpoints: return # AuthenticationMiddleware is required so that request.user exists. if not hasattr(request, 'user'): raise ImproperlyConfigured( "The Django remote user auth middleware requires the" " authentication middleware to be installed. Edit your" " MIDDLEWARE_CLASSES setting to insert" " 'django.contrib.auth.middleware.AuthenticationMiddleware'" " before the RemoteUserMiddleware class.") try: username = request.META[self.header] except KeyError: # If specified header doesn't exist then return (leaving # request.user set to AnonymousUser by the # AuthenticationMiddleware). return # If the user is already authenticated and that user is the user we are # getting passed in the headers, then the correct user is already # persisted in the session and we don't need to continue. if request.user.is_authenticated(): if request.user.username == self.clean_username(username, request): return # We are seeing this user for the first time in this session, attempt # to authenticate the user. user = auth.authenticate(remote_user=username) if user: # User is valid. Set request.user and persist user in the session # by logging the user in. request.user = user auth.login(request, user)
def process_request(self, request): # AuthenticationMiddleware is required so that request.user exists. if not hasattr(request, "user"): raise ImproperlyConfigured( "The Django remote user auth middleware requires the" " authentication middleware to be installed. Edit your" " MIDDLEWARE_CLASSES setting to insert" " 'django.contrib.auth.middleware.AuthenticationMiddleware'" " before the RemoteUserMiddleware class." ) # To support logout. If this variable is True, do not # authenticate user and return now. if request.session.get(LOGOUT_SESSION_KEY) == True: return else: # Delete the shib reauth session key if present. request.session.pop(LOGOUT_SESSION_KEY, None) # Locate the remote user header. # import pprint; pprint.pprint(request.META) try: username = request.META[SHIB_USER_HEADER] except KeyError: # If specified header doesn't exist then return (leaving # request.user set to AnonymousUser by the # AuthenticationMiddleware). return # If the user is already authenticated and that user is the user we are # getting passed in the headers, then the correct user is already # persisted in the session and we don't need to continue. if request.user.is_authenticated(): if request.user.username == username: if request.user.is_staff: update_sudo_mode_ts(request) return # Make sure we have all required Shiboleth elements before proceeding. shib_meta, error = self.parse_attributes(request) # Add parsed attributes to the session. request.session["shib"] = shib_meta if error: raise ShibbolethValidationError("All required Shibboleth elements" " not found. %s" % shib_meta) # We are seeing this user for the first time in this session, attempt # to authenticate the user. user = auth.authenticate(remote_user=username, shib_meta=shib_meta) if user: # User is valid. Set request.user and persist user in the session # by logging the user in. request.user = user auth.login(request, user) user.set_unusable_password() user.save() # call make profile. self.make_profile(user, shib_meta) # setup session. self.setup_session(request) request.shib_login = True
def process_request(self, request): protected_paths = [ item.strip().strip('/') for item in self.protected_paths ] if request.path.strip('/') not in protected_paths: return # AuthenticationMiddleware is required so that request.user exists. if not hasattr(request, 'user'): raise ImproperlyConfigured( "The Django remote user auth middleware requires the" " authentication middleware to be installed. Edit your" " MIDDLEWARE setting to insert" " 'django.contrib.auth.middleware.AuthenticationMiddleware'" " before the RemoteUserMiddleware class.") try: username = request.META[self.header] except KeyError: if settings.DEBUG: assert False # If specified header doesn't exist then remove any existing # authenticated remote-user, or return (leaving request.user set to # AnonymousUser by the AuthenticationMiddleware). if self.force_logout_if_no_header and request.user.is_authenticated( ): self._remove_invalid_user(request) return if self.remote_user_domain: username = username.split('@')[0] + '@' + self.remote_user_domain # If the user is already authenticated and that user is the user we are # getting passed in the headers, then the correct user is already # persisted in the session and we don't need to continue. if request.user.is_authenticated(): if request.user.get_username() == self.clean_username( username, request): if request.user.is_staff: update_sudo_mode_ts(request) # add a mark to generate api token and set cookie request.remote_user_authentication = True return else: # An authenticated user is associated with the request, but # it does not match the authorized user in the header. self._remove_invalid_user(request) # We are seeing this user for the first time in this session, attempt # to authenticate the user. user = auth.authenticate(request=request, remote_user=username) if user: # User is valid. Set request.user and persist user in the session # by logging the user in. request.user = user auth.login(request, user) # add a mark to generate api token and set cookie request.remote_user_authentication = True
def process_request(self, request): # AuthenticationMiddleware is required so that request.user exists. if not hasattr(request, 'user'): raise ImproperlyConfigured( "The Django remote user auth middleware requires the" " authentication middleware to be installed. Edit your" " MIDDLEWARE_CLASSES setting to insert" " 'django.contrib.auth.middleware.AuthenticationMiddleware'" " before the RemoteUserMiddleware class.") #To support logout. If this variable is True, do not #authenticate user and return now. if request.session.get(LOGOUT_SESSION_KEY) == True: return else: #Delete the shib reauth session key if present. request.session.pop(LOGOUT_SESSION_KEY, None) #Locate the remote user header. # import pprint; pprint.pprint(request.META) try: username = request.META[SHIB_USER_HEADER] except KeyError: # If specified header doesn't exist then return (leaving # request.user set to AnonymousUser by the # AuthenticationMiddleware). return # If the user is already authenticated and that user is the user we are # getting passed in the headers, then the correct user is already # persisted in the session and we don't need to continue. if request.user.is_authenticated(): if request.user.username == username: if request.user.is_staff: update_sudo_mode_ts(request) return # Make sure we have all required Shiboleth elements before proceeding. shib_meta, error = self.parse_attributes(request) # Add parsed attributes to the session. request.session['shib'] = shib_meta if error: raise ShibbolethValidationError("All required Shibboleth elements" " not found. %s" % shib_meta) # We are seeing this user for the first time in this session, attempt # to authenticate the user. user = auth.authenticate(remote_user=username, shib_meta=shib_meta) if user: # User is valid. Set request.user and persist user in the session # by logging the user in. request.user = user auth.login(request, user) user.set_unusable_password() user.save() # call make profile. self.make_profile(user, shib_meta) #setup session. self.setup_session(request) request.shib_login = True
def token_view(request, token): """Show form to let user set password. """ i = get_object_or_404(Invitation, token=token) if i.is_expired(): raise Http404 if request.method == 'GET': try: user = User.objects.get(email=i.accepter) if user.is_active is True: # user is active return exist messages.error(request, _('A user with this email already exists.')) except User.DoesNotExist: pass return render(request, 'invitations/token_view.html', {'iv': i, }) if request.method == 'POST': passwd = request.POST.get('password', '') if not passwd: return HttpResponseRedirect(request.META.get('HTTP_REFERER')) try: user = User.objects.get(email=i.accepter) if user.is_active is True: # user is active return exist messages.error(request, _('A user with this email already exists.')) return render(request, 'invitations/token_view.html', {'iv': i, }) else: # user is inactive then set active and new password user.set_password(passwd) user.is_active = True user.save() user = authenticate(username=user.username, password=passwd) except User.DoesNotExist: # Create user, set that user as guest. user = User.objects.create_user( email=i.accepter, password=passwd, is_active=True) User.objects.update_role(user.username, GUEST_USER) for backend in get_backends(): user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) # Update invitation accept time. i.accept() # login auth_login(request, user) # send signal to notify inviter accept_guest_invitation_successful.send( sender=None, invitation_obj=i) # send email to notify admin if NOTIFY_ADMIN_AFTER_REGISTRATION: notify_admins_on_register_complete(user.email) return HttpResponseRedirect(SITE_ROOT)
def clean(self): username = self.cleaned_data.get('login') password = self.cleaned_data.get('password') if username and password: self.user_cache = authenticate(username=username, password=password) if self.user_cache is None: """then try login id/contact email/primary id""" # convert login id or contact email to username if any username = Profile.objects.convert_login_str_to_username(username) # convert username to primary id if any username = self.get_primary_id_by_username(username) self.user_cache = authenticate(username=username, password=password) if self.user_cache is None: err_msg = _("Please enter a correct email/username and password. Note that both fields are case-sensitive.") if settings.LOGIN_ERROR_DETAILS: try: u = User.objects.get(email=username) except User.DoesNotExist: err_msg = _("That e-mail address doesn't have an associated user account. Are you sure you've registered?") self.errors['not_found'] = err_msg raise forms.ValidationError(err_msg) # user found for login string but inactive if not self.user_cache.is_active: if settings.ACTIVATE_AFTER_FIRST_LOGIN and \ not UserOptions.objects.is_user_logged_in(username): """Activate user on first login.""" self.user_cache.is_active = True self.user_cache.save() UserOptions.objects.set_user_logged_in(username) else: self.errors['inactive'] = _("This account is inactive.") raise forms.ValidationError(_("This account is inactive.")) # TODO: determine whether this should move to its own method. if self.request: if not self.request.session.test_cookie_worked(): raise forms.ValidationError(_("Your Web browser doesn't appear to have cookies enabled. Cookies are required for logging in.")) return self.cleaned_data
def process_request(self, request): protected_paths = [item.strip().strip('/') for item in self.protected_paths] if request.path.strip('/') not in protected_paths: return # AuthenticationMiddleware is required so that request.user exists. if not hasattr(request, 'user'): raise ImproperlyConfigured( "The Django remote user auth middleware requires the" " authentication middleware to be installed. Edit your" " MIDDLEWARE setting to insert" " 'django.contrib.auth.middleware.AuthenticationMiddleware'" " before the RemoteUserMiddleware class.") try: username = request.META[self.header] except KeyError: if settings.DEBUG: assert False # If specified header doesn't exist then remove any existing # authenticated remote-user, or return (leaving request.user set to # AnonymousUser by the AuthenticationMiddleware). if self.force_logout_if_no_header and request.user.is_authenticated( ): self._remove_invalid_user(request) return if self.remote_user_domain: username = username.split('@')[0] + '@' + self.remote_user_domain # If the user is already authenticated and that user is the user we are # getting passed in the headers, then the correct user is already # persisted in the session and we don't need to continue. if request.user.is_authenticated(): if request.user.get_username() == self.clean_username( username, request): if request.user.is_staff: update_sudo_mode_ts(request) # add a mark to generate api token and set cookie request.remote_user_authentication = True return else: # An authenticated user is associated with the request, but # it does not match the authorized user in the header. self._remove_invalid_user(request) # We are seeing this user for the first time in this session, attempt # to authenticate the user. user = auth.authenticate(request=request, remote_user=username) if user: # User is valid. Set request.user and persist user in the session # by logging the user in. request.user = user auth.login(request, user) # add a mark to generate api token and set cookie request.remote_user_authentication = True
def validate(self, attrs): login_id = attrs.get('username') password = attrs.get('password') platform = attrs.get('platform', None) device_id = attrs.get('device_id', None) device_name = attrs.get('device_name', None) client_version = attrs.get('client_version', None) platform_version = attrs.get('platform_version', None) v2_fields = (platform, device_id, device_name) # Decide the version of token we need if all_none(v2_fields): v2 = False elif all_not_none(v2_fields): v2 = True else: raise serializers.ValidationError('invalid params') username = Profile.objects.get_username_by_login_id(login_id) if username is None: username = login_id if username and password: user = authenticate(username=username, password=password) if user: if not user.is_active: raise serializers.ValidationError('User account is disabled.') else: raise serializers.ValidationError('Unable to login with provided credentials.') else: raise serializers.ValidationError('Must include "username" and "password"') populate_user_permissions(user) if platform in DESKTOP_PLATFORMS: if not user.permissions.can_connect_with_desktop_clients(): raise serializers.ValidationError('Not allowed to connect to desktop client.') elif platform == 'android': if not user.permissions.can_connect_with_android_clients(): raise serializers.ValidationError('Not allowed to connect to android client.') elif platform == 'ios': if not user.permissions.can_connect_with_ios_clients(): raise serializers.ValidationError('Not allowed to connect to ios client.') else: logger.info('%s: unrecognized device' % login_id) self._two_factor_auth(self.context['request'], user) # Now user is authenticated if v2: token = get_token_v2(self.context['request'], username, platform, device_id, device_name, client_version, platform_version) else: token = get_token_v1(username) return token.key
def validate(self, attrs): username = attrs.get('username') password = attrs.get('password') if username and password: user = authenticate(username=username, password=password) if user: if not user.is_active: raise serializers.ValidationError('User account is disabled.') attrs['user'] = user return attrs else: raise serializers.ValidationError('Unable to login with provided credentials.') else: raise serializers.ValidationError('Must include "username" and "password"')
def acs(request): saml_client = _get_saml_client() saml_resp = request.POST.get('SAMLResponse', None) if not saml_resp: return render_error(request, _('login failed, please contact admin.')) authn_response = saml_client.parse_authn_request_response( saml_resp, entity.BINDING_HTTP_POST) if not authn_response: return render_error(request, _('login failed, please contact admin.')) user_identity = authn_response.get_identity() if not user_identity: return render_error(request, _('login failed, please contact admin.')) for saml_key, dtable_key in SAML_ATTR_MAPPERS.items(): if dtable_key == 'contact_email': user_email = user_identity.get(saml_key, [''])[0] elif dtable_key == 'name': username = user_identity.get(saml_key, [''])[0] if not user_email: return render_error(request, _('login failed, please contact admin.')) try: user = auth.authenticate(remote_user=user_email, nickname=username) except User.DoesNotExist: user = None if not user or not user.is_active: logger.error('User %s not found or inactive.' % user_email) # a page for authenticate user failed return render_error(request, _('User %s not found.') % user_email) # User is valid. Set request.user and persist user in the session # by logging the user in. request.user = user auth.login(request, user) next_url = request.session.get('login_next_url', _default_next_url()) default_relay_state = '/' relay_state = request.POST.get('RelayState', next_url) if not relay_state: logger.warning('The RelayState parameter exists but is empty') relay_state = default_relay_state return HttpResponseRedirect(relay_state)
def clean(self): username = self.cleaned_data.get('username') password = self.cleaned_data.get('password') if username and password: self.user_cache = authenticate(username=username, password=password) if self.user_cache is None: raise forms.ValidationError(_("Please enter a correct username and password. Note that both fields are case-sensitive.")) elif not self.user_cache.is_active: raise forms.ValidationError(_("This account is inactive.")) # TODO: determine whether this should move to its own method. if self.request: if not self.request.session.test_cookie_worked(): raise forms.ValidationError(_("Your Web browser doesn't appear to have cookies enabled. Cookies are required for logging in.")) return self.cleaned_data
def validate(self, attrs): username = attrs.get("username") password = attrs.get("password") platform = attrs.get("platform", None) device_id = attrs.get("device_id", None) device_name = attrs.get("device_name", None) client_version = attrs.get("client_version", None) platform_version = attrs.get("platform_version", None) v2_fields = (platform, device_id, device_name, client_version, platform_version) # Decide the version of token we need if all_none(v2_fields): v2 = False elif all_not_none(v2_fields): v2 = True else: raise serializers.ValidationError("invalid params") # first check username and password if username: if not is_valid_username(username): raise serializers.ValidationError("username is not valid.") if username and password: user = authenticate(username=username, password=password) if user: if not user.is_active: raise serializers.ValidationError("User account is disabled.") else: raise serializers.ValidationError("Unable to login with provided credentials.") else: raise serializers.ValidationError('Must include "username" and "password"') # Now user is authenticated if v2: token = get_token_v2( self.context["request"], username, platform, device_id, device_name, client_version, platform_version ) else: token = get_token_v1(username) return token.key
def validate(self, attrs): login_id = attrs.get('username') password = attrs.get('password') platform = attrs.get('platform', None) device_id = attrs.get('device_id', None) device_name = attrs.get('device_name', None) client_version = attrs.get('client_version', None) platform_version = attrs.get('platform_version', None) v2_fields = (platform, device_id, device_name) # Decide the version of token we need if all_none(v2_fields): v2 = False elif all_not_none(v2_fields): v2 = True else: raise serializers.ValidationError('invalid params') username = Profile.objects.get_username_by_login_id(login_id) if username is None: username = login_id if username and password: user = authenticate(username=username, password=password) if user: if not user.is_active: raise serializers.ValidationError('User account is disabled.') else: raise serializers.ValidationError('Unable to login with provided credentials.') else: raise serializers.ValidationError('Must include "username" and "password"') self._two_factor_auth(self.context['request'], username) # Now user is authenticated if v2: token = get_token_v2(self.context['request'], username, platform, device_id, device_name, client_version, platform_version) else: token = get_token_v1(username) return token.key
def validate(self, attrs): username = attrs.get('username') password = attrs.get('password') if username and password: user = authenticate(username=username, password=password) if user: if not user.is_active: raise serializers.ValidationError( 'User account is disabled.') attrs['user'] = user return attrs else: raise serializers.ValidationError( 'Unable to login with provided credentials.') else: raise serializers.ValidationError( 'Must include "username" and "password"')
def oauth_callback(request): """ Step 3: Retrieving an access token. The user has been redirected back from the provider to your registered callback URL. With this redirection comes an authorization code included in the redirect URL. We will use that to obtain an access token. """ session = OAuth2Session(client_id=CLIENT_ID, scope=SCOPE, state=request.session.get('oauth_state', None), redirect_uri=REDIRECT_URL) try: token = session.fetch_token( TOKEN_URL, client_secret=CLIENT_SECRET, authorization_response=request.get_full_path()) if session._client.__dict__['token'].has_key('user_id'): # used for sjtu.edu.cn # https://xjq12311.gitbooks.io/sjtu-engtc/content/ user_id = session._client.__dict__['token']['user_id'] user_info_resp = session.get(USER_INFO_URL + '?user_id=%s' % user_id) else: user_info_url = USER_INFO_URL if ACCESS_TOKEN_IN_URI: code = request.GET.get('code') user_info_url = USER_INFO_URL + '?access_token=%s&code=%s' % ( token['access_token'], code) user_info_resp = session.get(user_info_url) except Exception as e: logger.error(e) return render_error(request, _('Error, please contact administrator.')) def format_user_info(user_info_resp): logger.info('user info resp: %s' % user_info_resp.text) error = False user_info = {} user_info_json = user_info_resp.json() for item, attr in ATTRIBUTE_MAP.items(): required, user_attr = attr value = user_info_json.get(item, '') if value: # ccnet email if user_attr == 'email': user_info[user_attr] = value if is_valid_email(str(value)) else \ '%s@%s' % (str(value), PROVIDER_DOMAIN) else: user_info[user_attr] = value elif required: error = True return user_info, error user_info, error = format_user_info(user_info_resp) if error: logger.error('Required user info not found.') logger.error(user_info) return render_error(request, _('Error, please contact administrator.')) # seahub authenticate user email = user_info['email'] try: user = auth.authenticate(remote_user=email) except User.DoesNotExist: user = None if not user or not user.is_active: logger.error('User %s not found or inactive.' % email) # a page for authenticate user failed return render_error(request, _(u'User %s not found.') % email) # User is valid. Set request.user and persist user in the session # by logging the user in. request.user = user auth.login(request, user) # update user's profile name = user_info['name'] if user_info.has_key('name') else '' contact_email = user_info['contact_email'] if \ user_info.has_key('contact_email') else '' profile = Profile.objects.get_profile_by_user(email) if not profile: profile = Profile(user=email) if name: profile.nickname = name.strip() profile.save() if contact_email: profile.contact_email = contact_email.strip() profile.save() # generate auth token for Seafile client api_token = get_api_token(request) # redirect user to home page response = HttpResponseRedirect(request.session['oauth_redirect']) response.set_cookie('seahub_auth', email + '@' + api_token.key) return response
def login(request, next_page=None, required=False): """Forwards to CAS login URL or verifies CAS ticket""" service_url = get_service_url(request, next_page) client = get_cas_client(service_url=service_url, request=request) if not next_page and settings.CAS_STORE_NEXT and 'CASNEXT' in request.session: next_page = request.session['CASNEXT'] del request.session['CASNEXT'] if not next_page: next_page = get_redirect_url(request) if request.method == 'POST' and request.POST.get('logoutRequest'): clean_sessions(client, request) return HttpResponseRedirect(next_page) # backward compability for django < 2.0 is_user_authenticated = False if sys.version_info >= (3, 0): bool_type = bool else: bool_type = types.BooleanType if isinstance(request.user.is_authenticated, bool_type): is_user_authenticated = request.user.is_authenticated else: is_user_authenticated = request.user.is_authenticated() if is_user_authenticated: if settings.CAS_LOGGED_MSG is not None: message = settings.CAS_LOGGED_MSG % request.user.get_username() messages.success(request, message) return HttpResponseRedirect(next_page) ticket = request.GET.get('ticket') if ticket: user = authenticate(ticket=ticket, service=service_url, request=request) pgtiou = request.session.get("pgtiou") if user is not None: if not request.session.exists(request.session.session_key): request.session.create() auth_login(request, user) SessionTicket.objects.create( session_key=request.session.session_key, ticket=ticket) if pgtiou and settings.CAS_PROXY_CALLBACK: # Delete old PGT ProxyGrantingTicket.objects.filter( user=user, session_key=request.session.session_key).delete() # Set new PGT ticket try: pgt = ProxyGrantingTicket.objects.get(pgtiou=pgtiou) pgt.user = user pgt.session_key = request.session.session_key pgt.save() except ProxyGrantingTicket.DoesNotExist: pass if settings.CAS_LOGIN_MSG is not None: name = user.get_username() message = settings.CAS_LOGIN_MSG % name messages.success(request, message) return HttpResponseRedirect(next_page) elif settings.CAS_RETRY_LOGIN or required: return HttpResponseRedirect(client.get_login_url()) else: raise PermissionDenied(_('Login failed.')) else: if settings.CAS_STORE_NEXT: request.session['CASNEXT'] = next_page return HttpResponseRedirect(client.get_login_url())
def oauth_callback(request): """ Step 3: Retrieving an access token. The user has been redirected back from the provider to your registered callback URL. With this redirection comes an authorization code included in the redirect URL. We will use that to obtain an access token. """ session = OAuth2Session(client_id=CLIENT_ID, scope=SCOPE, state=request.session.get('oauth_state', None), redirect_uri=REDIRECT_URL) try: session.fetch_token(TOKEN_URL, client_secret=CLIENT_SECRET, authorization_response=request.get_full_path()) if session._client.__dict__['token'].has_key('user_id'): # used for sjtu.edu.cn # https://xjq12311.gitbooks.io/sjtu-engtc/content/ user_id = session._client.__dict__['token']['user_id'] user_info_resp = session.get(USER_INFO_URL + '?user_id=%s' % user_id) else: user_info_resp = session.get(USER_INFO_URL) except Exception as e: logger.error(e) return render(request, 'error.html', { 'error_msg': _('Error, please contact administrator.'), }) def format_user_info(user_info_resp): error = False user_info = {} user_info_json = user_info_resp.json() for item, attr in ATTRIBUTE_MAP.items(): required, user_attr = attr value = user_info_json.get(item, '') if value: # ccnet email if user_attr == 'email': user_info[user_attr] = value if is_valid_email(str(value)) else \ '%s@%s' % (str(value), PROVIDER_DOMAIN) else: user_info[user_attr] = value elif required: error = True return user_info, error user_info, error = format_user_info(user_info_resp) if error: logger.error('Required user info not found.') logger.error(user_info) return render(request, 'error.html', { 'error_msg': _('Error, please contact administrator.'), }) # seahub authenticate user email = user_info['email'] try: User.objects.get(email=email) except User.DoesNotExist: if not config.ENABLE_SIGNUP: logger.error('%s not found but user registration is disabled.' % email) return render( request, 'error.html', { 'error_msg': _('Error, please contact administrator.'), }) try: user = auth.authenticate(remote_user=email) except User.DoesNotExist: user = None if not user or not user.is_active: logger.error('User %s not found or inactive.' % email) # a page for authenticate user failed return render(request, 'error.html', {'error_msg': _(u'User %s not found.') % email}) # User is valid. Set request.user and persist user in the session # by logging the user in. request.user = user auth.login(request, user) user.set_unusable_password() user.save() # update user's profile name = user_info['name'] if user_info.has_key('name') else '' contact_email = user_info['contact_email'] if \ user_info.has_key('contact_email') else '' profile = Profile.objects.get_profile_by_user(email) if not profile: profile = Profile(user=email) if name: profile.nickname = name.strip() profile.save() if contact_email: profile.contact_email = contact_email.strip() profile.save() # generate auth token for Seafile client keys = ( 'platform', 'device_id', 'device_name', 'client_version', 'platform_version', ) if all([key in request.GET for key in keys]): platform = request.GET['platform'] device_id = request.GET['device_id'] device_name = request.GET['device_name'] client_version = request.GET['client_version'] platform_version = request.GET['platform_version'] token = get_token_v2(request, request.user.username, platform, device_id, device_name, client_version, platform_version) else: token = get_token_v1(request.user.username) # redirect user to home page response = HttpResponseRedirect(reverse('libraries')) response.set_cookie('seahub_auth', email + '@' + token.key) return response
def dingtalk_callback(request): if not ENABLE_DINGTALK: return render_error(request, _('Error, please contact administrator.')) state = request.GET.get('state', '') if not state or state != request.session.get('dingtalk_login_state', ''): logger.error('invalid state') return render_error(request, _('Error, please contact administrator.')) timestamp = str(int(time.time() * 1000)).encode('utf-8') appsecret = DINGTALK_QR_CONNECT_APP_SECRET.encode('utf-8') signature = base64.b64encode( hmac.new(appsecret, timestamp, digestmod=sha256).digest()) parameters = { 'accessKey': DINGTALK_QR_CONNECT_APP_ID, 'timestamp': timestamp, 'signature': signature, } code = request.GET.get('code') data = {"tmp_auth_code": code} full_user_info_url = DINGTALK_QR_CONNECT_USER_INFO_URL + '?' + urllib.parse.urlencode( parameters) user_info_resp = requests.post(full_user_info_url, data=json.dumps(data)) user_info = user_info_resp.json()['user_info'] # seahub authenticate user if 'unionid' not in user_info: logger.error('Required user info not found.') logger.error(user_info) return render_error(request, _('Error, please contact administrator.')) auth_user = SocialAuthUser.objects.get_by_provider_and_uid( 'dingtalk', user_info['unionid']) if auth_user: email = auth_user.username else: email = gen_user_virtual_id() SocialAuthUser.objects.add(email, 'dingtalk', user_info['unionid']) try: user = auth.authenticate(remote_user=email) except User.DoesNotExist: user = None except Exception as e: logger.error(e) return render_error(request, _('Error, please contact administrator.')) if not user or not user.is_active: return render_error(request, _('User %s not found or inactive.') % email) # User is valid. Set request.user and persist user in the session # by logging the user in. request.user = user request.session['remember_me'] = DINGTALK_QR_CONNECT_LOGIN_REMEMBER_ME auth.login(request, user) # update user's profile name = user_info['nick'] if 'nick' in user_info else '' if name: profile = Profile.objects.get_profile_by_user(email) if not profile: profile = Profile(user=email) profile.nickname = name.strip() profile.save() user_detail_info = dingtalk_get_detailed_user_info(user_info['unionid']) contact_email = user_detail_info.get('email', '') if contact_email: profile.contact_email = contact_email profile.save() # generate auth token for Seafile client api_token = get_api_token(request) # redirect user to home page response = HttpResponseRedirect( request.session.get('dingtalk_login_redirect', '/')) response.set_cookie('seahub_auth', email + '@' + api_token.key) return response
def assertion_consumer_service(request, config_loader_path=None, attribute_mapping=None, create_unknown_user=None): """SAML Authorization Response endpoint The IdP will send its response to this view, which will process it with pysaml2 help and log the user in using the custom Authorization backend djangosaml2.backends.Saml2Backend that should be enabled in the settings.py """ attribute_mapping = attribute_mapping or get_custom_setting( 'SAML_ATTRIBUTE_MAPPING', {'uid': ('username', )}) create_unknown_user = create_unknown_user or get_custom_setting( 'SAML_CREATE_UNKNOWN_USER', True) logger.debug('Assertion Consumer Service started') conf = get_config(config_loader_path, request) if 'SAMLResponse' not in request.POST: return HttpResponseBadRequest( 'Couldn\'t find "SAMLResponse" in POST data.') xmlstr = request.POST['SAMLResponse'] client = Saml2Client(conf, identity_cache=IdentityCache(request.session)) oq_cache = OutstandingQueriesCache(request.session) outstanding_queries = oq_cache.outstanding_queries() try: response = client.parse_authn_request_response(xmlstr, BINDING_HTTP_POST, outstanding_queries) except MissingKey: logger.error('MissingKey error in ACS') return HttpResponseForbidden( "The Identity Provider is not configured correctly: " "the certificate key is missing") if response is None: logger.error('SAML response is None') return HttpResponseBadRequest( "SAML response has errors. Please check the logs") session_id = response.session_id() oq_cache.delete(session_id) # authenticate the remote user session_info = response.session_info() if callable(attribute_mapping): attribute_mapping = attribute_mapping() if callable(create_unknown_user): create_unknown_user = create_unknown_user() logger.debug('Trying to authenticate the user') user = auth.authenticate(session_info=session_info, attribute_mapping=attribute_mapping, create_unknown_user=create_unknown_user) if user is None: logger.error('The user is None') return HttpResponseForbidden("Permission denied") if not user.is_active: logger.error('The user is inactive') return HttpResponseForbidden("Permission denied") auth_login(request, user) _set_subject_id(request.session, session_info['name_id']) logger.debug('Sending the post_authenticated signal') post_authenticated.send_robust(sender=user, session_info=session_info) # redirect the user to the view where he came from default_relay_state = get_custom_setting('ACS_DEFAULT_REDIRECT_URL', settings.LOGIN_REDIRECT_URL) relay_state = request.POST.get('RelayState', default_relay_state) if not relay_state: logger.warning('The RelayState parameter exists but is empty') relay_state = default_relay_state logger.debug('Redirecting to the RelayState: %s', relay_state) return HttpResponseRedirect(relay_state)
def weixin_oauth_callback(request): if not weixin_check(): return render_error(request, _('Feature is not enabled.')) code = request.GET.get('code', None) state = request.GET.get('state', None) weixin_oauth_state = request.session.get('weixin_oauth_state', None) weixin_oauth_redirect = request.session.get('weixin_oauth_redirect', redirect_to) org_id = request.session.get('weixin_oauth_org_id', None) is_mobile_weixin = request.session.get('weixin_oauth_is_mobile_weixin', False) # clear session try: del request.session['weixin_oauth_state'] del request.session['weixin_oauth_redirect'] del request.session['weixin_oauth_org_id'] del request.session['weixin_oauth_is_mobile_weixin'] except Exception as e: logger.warning(e) # get api user info if state != weixin_oauth_state or not code: logger.error('can not get right code or state from weixin request') return render_error(request, _('Error, please contact administrator.')) access_token, openid = get_weixin_access_token_and_openid( code, is_mobile_weixin) if not access_token or not openid: logger.error('can not get weixin access_token or openid') return render_error(request, _('Error, please contact administrator.')) weixin_api_user_info = get_weixin_api_user_info(access_token, openid) if not weixin_api_user_info: return render_error(request, _('Error, please contact administrator.')) # main user_id = weixin_api_user_info.get('unionid') uid = WEIXIN_UID_PREFIX + user_id weixin_user = SocialAuthUser.objects.get_by_provider_and_uid( WEIXIN_PROVIDER, uid) if weixin_user: email = weixin_user.username is_new_user = False else: email = None is_new_user = True try: user = auth.authenticate(remote_user=email) except User.DoesNotExist: user = None if not user: return render_error( request, _('Error, new user registration is not allowed, please contact administrator.' )) # bind username = user.username if is_new_user: SocialAuthUser.objects.add(username, WEIXIN_PROVIDER, uid) # org invite for new user if org_id: if is_new_user: ccnet_api.add_org_user(org_id, username, int(False)) else: return render_error(request, '仅限新用户加入机构') # update user info if is_new_user or WEIXIN_USER_INFO_AUTO_UPDATE: api_user = weixin_api_user_info api_user['username'] = username update_weixin_user_info(api_user) if not user.is_active: return render_error( request, _('Your account is created successfully, please wait for administrator to activate your account.' )) # User is valid. Set request.user and persist user in the session # by logging the user in. request.user = user request.session['remember_me'] = REMEMBER_ME auth.login(request, user) # generate auth token for Seafile client api_token = get_api_token(request) # redirect user to page response = HttpResponseRedirect(weixin_oauth_redirect) response.set_cookie('seahub_auth', user.username + '@' + api_token.key) return response