def social_auth(request, backend):
"""Wrapper around social_django.views.auth.
- Incorporates modified social_djang.utils.psa
- Requires POST (to avoid CSRF on auth)
- Stores current user in session (to avoid CSRF upon completion)
- Stores session ID in the request URL if needed
"""
# Fill in idp in case it is not provided
if backend == "saml" and "idp" not in request.GET:
request.GET = request.GET.copy()
request.GET["idp"] = "weblate"
store_userid(request)
uri = reverse("social:complete", args=(backend, ))
request.social_strategy = load_strategy(request)
try:
request.backend = load_backend(request.social_strategy, backend, uri)
except MissingBackend:
raise Http404("Backend not found")
# Store session ID for OpenID based auth. The session cookies will not be sent
# on returning POST request due to SameSite cookie policy
if isinstance(request.backend, OpenIdAuth):
request.backend.redirect_uri += "?authid={}".format(
dumps(
(request.session.session_key, get_ip_address(request)),
salt="weblate.authid",
))
return do_auth(request.backend, redirect_name=REDIRECT_FIELD_NAME)
def password_reset(request, backend):
"""
View method for path '/sso/password/reset'
Start a password reset user flow
Triggered by hyperlink 'Forgot your password' in idp selection page
"""
next_url = request.GET.get(REDIRECT_FIELD_NAME)
if not next_url:
next_url = request.session.get(REDIRECT_FIELD_NAME)
if next_url:
domain = utils.get_domain(next_url) or request.headers.get(
"x-upstream-server-name") or request.get_host()
next_url = get_absolute_url(next_url, domain)
logger.debug("Found next url '{}'".format(next_url))
else:
domain = request.headers.get(
"x-upstream-server-name") or request.get_host()
next_url = "https://{}/sso/profile".format(domain)
logger.debug(
"No next url provided,set the next url to '{}'".format(next_url))
request.session[REDIRECT_FIELD_NAME] = next_url
request.policy = models.CustomizableUserflow.get_userflow(
domain).password_reset
return do_auth(request.backend, redirect_name="__already_set")
def auth(request, backend):
# Redirect to tenant page if MULTI_TENANT setting configured for supported backend
if isinstance(request.backend,
MultiTenantMixin) and request.backend.setting(
'MULTI_TENANT', None) is not None:
return redirect('social:tenant', backend=backend)
return do_auth(request.backend, redirect_name=REDIRECT_FIELD_NAME)
def mfa_set(request, backend):
"""
View method for path '/sso/mfa/set'
Start a user mfa set user flow
called after user authentication
"""
next_url = request.GET.get(REDIRECT_FIELD_NAME)
if not next_url:
next_url = request.session.get(REDIRECT_FIELD_NAME)
if next_url:
domain = utils.get_domain(next_url) or request.headers.get(
"x-upstream-server-name") or request.get_host()
next_url = get_absolute_url(next_url, domain)
logger.debug("Found next url '{}'".format(next_url))
else:
domain = request.headers.get(
"x-upstream-server-name") or request.get_host()
next_url = "https://{}/sso/profile".format(domain)
logger.debug(
"No next url provided,set the next url to '{}'".format(next_url))
request.session[REDIRECT_FIELD_NAME] = next_url
request.policy = models.CustomizableUserflow.get_userflow(domain).mfa_set
return do_auth(request.backend, redirect_name="already_set")
def authenticate(self, trans):
on_the_fly_config(trans.sa_session)
strategy = Strategy(trans.request, trans.session, Storage, self.config)
backend = self._load_backend(strategy, self.config['redirect_uri'])
if backend.name is BACKENDS_NAME["google"] and \
"SOCIAL_AUTH_SECONDARY_AUTH_PROVIDER" in self.config and \
"SOCIAL_AUTH_SECONDARY_AUTH_ENDPOINT" in self.config:
backend.DEFAULT_SCOPE.append("https://www.googleapis.com/auth/cloud-platform")
return do_auth(backend)
def auth(request, provider):
redirect_uri = reverse("social:complete", args=(provider, ))
request.social_strategy = DjangoStrategy(DjangoStorage, request)
try:
backend_cls = get_backend(BACKENDS, provider)
backend_obj = backend_cls(request.social_strategy, redirect_uri)
except MissingBackend:
raise Http404('Backend not found')
return do_auth(backend_obj, redirect_name=REDIRECT_FIELD_NAME)
def tenant(request, backend):
"""
Handle tenant page request.
"""
# Send back to login of tenant page accessed for non-multi-tenant backend
if not isinstance(request.backend, MultiTenantMixin):
log.error(
f'Backend "{request.backend.name}" does not support MULTI_TENANT features.'
)
return redirect('accounts:login')
# Get the Tenant alias to use for titles in the form
tenant_alias = getattr(settings, 'SSO_TENANT_ALIAS', 'Tenant').title()
# Handle form
if request.method == 'POST':
if 'sso-tenant-submit' not in request.POST:
return HttpResponseBadRequest()
else:
# Create form bound to request data
form = SsoTenantForm(request.POST)
# Validate the form
if form.is_valid():
cleaned_tenant = form.cleaned_data.get('tenant')
try:
# Setting the tenant on the backend performs normalization and validation of tenant
# Part of the validation is that the provided tenant is in the MULTI_TENANT setting.
request.backend.tenant = cleaned_tenant
response = do_auth(request.backend,
redirect_name=REDIRECT_FIELD_NAME)
return response
except ImproperlyConfigured as e:
# No MULTI_TENANT settings configured: log error and redirect back to login view
log.error(str(e))
return redirect('accounts:login')
except ValueError:
# Set form error and re-render form
form.add_error(
'tenant', f'Invalid {tenant_alias.lower()} provided.')
else:
# Create new empty form
form = SsoTenantForm()
context = {
'form': form,
'form_title': tenant_alias,
'page_title': tenant_alias,
'backend': backend
}
return render(request, 'tethys_portal/accounts/sso_tenant.html', context)
def _auth(self, request, app):
auth_uri = request.get_argument('auth_uri', None)
project = request.get_argument('project', None)
redirect_uri = request.get_argument('redirect_uri', None)
configuration.session_set(request, AUTH_URI_KEY, auth_uri)
configuration.session_set(request, PROJECT_KEY, project)
configuration.session_set(request, REDIRECT_URI_KEY, redirect_uri)
self.init_auth(request, app)
return do_auth(self.backend)
def social_login_begin(request, backend):
strategy = load_strategy(request)
try:
redirect_uri = (settings.FRONTEND_ADDRESS + '/accounts/social-auth/' +
backend + '/')
backend = load_backend(strategy=strategy,
name=backend,
redirect_uri=redirect_uri)
except MissingBackend:
return Response(status=status.HTTP_400_BAD_REQUEST)
auth = do_auth(backend)
if auth:
return Response({'url': auth.url})
else:
return Response(status=status.HTTP_500_SERVER_ERROR)
def _auth():
r = current.request
# Store "remember me" value in session
current.strategy.session_set('remember', r.vars.get('remember', False))
if r.vars.backend == 'persona':
# Mozilla Persona
if r.vars.assertion == '': del r.vars.assertion
redirect(URL(f='complete', args=['persona'], vars=r.vars))
else:
try:
return do_auth(current.backend)
except Exception as e:
process_exception(e)
def _auth():
r = current.request
# Store "remember me" value in session
current.strategy.session_set('remember', r.vars.get('remember', False))
if r.vars.backend == 'persona':
# Mozilla Persona
if r.vars.assertion == '': del r.vars.assertion
redirect(URL(f='complete', args=['persona'], vars=r.vars))
else:
try:
return do_auth(current.backend)
except Exception as e:
process_exception(e)
def auth(request, backend):
return do_auth(request.backend)
def _auth(self):
return do_auth(self.request.backend)
def authenticate(self, trans):
on_the_fly_config(trans.sa_session)
strategy = Strategy(trans.request, trans.session, Storage, self.config)
backend = self._load_backend(strategy, self.config['redirect_uri'])
return do_auth(backend)
def add_social_account(request):
request.session['discussion'] = request.matchdict['discussion_slug']
request.session['add_account'] = True
# TODO: Make False later.
return do_auth(request.backend, redirect_name='next')
def _auth(self, backend):
do_auth(self.backend)
def authenticate(self, trans):
self._on_the_fly_config(trans)
strategy = Strategy(trans, Storage, self.config)
backend = self._load_backend(strategy, self.config['redirect_uri'])
return do_auth(backend)
def auth(request, backend):
return do_auth(request.backend, redirect_name=REDIRECT_FIELD_NAME)
def auth(request, _backend):
"""Social authentication view. """
return do_auth(request.backend, redirect_name=REDIRECT_FIELD_NAME)
def authenticate(self, trans):
on_the_fly_config(trans.sa_session)
strategy = Strategy(trans.request, trans.session, Storage, self.config)
backend = self._load_backend(strategy, self.config['redirect_uri'])
return do_auth(backend)
def auth(request):
forget(request)
request.session['discussion'] = request.matchdict['discussion_slug']
request.session['add_account'] = False
return do_auth(request.backend, redirect_name='next')
def login(backend):
return do_auth(g.backend)
def auth(request):
return do_auth(request.backend, redirect_name='next')
def auth(backend):
return do_auth(g.backend)
def auth(request, backend, slug):
candidate = get_object_or_404(Candidate, slug=slug)
request.backend.strategy.session_set('facebook_slug', slug)
return do_auth(request.backend)
def auth(request, backend):
return do_auth(request.backend, redirect_name=REDIRECT_FIELD_NAME)
def authenticate(self, trans):
self._on_the_fly_config(trans)
strategy = Strategy(trans, Storage, self.config)
backend = self._load_backend(strategy, self.config['redirect_uri'])
return do_auth(backend)
def login(self, backend):
return do_auth(self.backend)
def auth(request, backend):
return do_auth(request.backend)
def auth(request):
forget(request)
request.session['discussion'] = request.matchdict['discussion_slug']
request.session['add_account'] = False
return do_auth(request.backend, redirect_name='next')
def auth(request, backend, slug):
candidate = get_object_or_404(Candidate, slug=slug)
request.backend.strategy.session_set('facebook_slug', slug)
return do_auth(request.backend)
def add_social_account(request):
request.session['discussion'] = request.matchdict['discussion_slug']
request.session['add_account'] = True
# TODO: Make False later.
return do_auth(request.backend, redirect_name='next')
def auth_view(request, backend, *args, **kwargs):
return do_auth(request.backend, redirect_name=REDIRECT_FIELD_NAME)
def _auth(self, backend):
return do_auth(self.backend)
