def test_is_safe_url(self, mock): # pylint: disable=R0201
"""
Test that only urls from the same domain are set as safe
by the is_safe_url function
"""
mock.host_url = "https://example.com"
assert is_safe_url("https://example.com") is True
assert is_safe_url("https://google.com") is False
def login_init(self, provider=None):
"""
Checks authorization and if a user is not authorized,
inits the sign-in process and returns a state
"""
logging.debug("Provider: %s", provider)
if g.user is not None and g.user.is_authenticated:
logging.debug("Provider %s is already authorized by %s", provider,
g.user)
return make_response(jsonify(isAuthorized=True))
redirect_url = request.args.get("redirect_url")
if not redirect_url or not is_safe_url(redirect_url):
logging.debug("The arg redirect_url not found or not safe")
return abort(400)
logging.debug("Initialization of authorization process for: %s",
provider)
# libraries assume that
# 'redirect_url' should be available in the session
session['%s_oauthredir' % provider] = redirect_url
state = self.generate_state()
return make_response(jsonify(isAuthorized=False, state=state))
def oauth_authorized(self, provider):
"""View that a user is redirected to from the Oauth server"""
logging.debug("Authorized init")
if "Custom-Api-Token" in request.headers:
logging.debug("Custom-Api-Token is present")
resp = {"access_token": request.headers.get("Custom-Api-Token")}
else:
resp = self.appbuilder.sm.oauth_remotes[
provider].authorize_access_token()
if resp is None:
flash("You denied the request to sign in.", "warning")
return redirect("/login")
logging.debug(f"OAUTH Authorized resp: {resp}")
# Retrieves specific user info from the provider
try:
self.appbuilder.sm.set_oauth_session(provider, resp)
userinfo = self.appbuilder.sm.oauth_user_info(provider, resp)
except Exception as no_user: # pylint: disable=broad-except
logging.error(f"Error returning user info: {no_user}")
user = None
else:
logging.debug(f"User info retrieved from {provider}: {userinfo}")
# User email is not whitelisted
if provider in self.appbuilder.sm.oauth_whitelists:
whitelist = self.appbuilder.sm.oauth_whitelists[provider]
allow = False
for item in whitelist:
if re.search(item, userinfo["email"]):
allow = True
break
if not allow:
flash("You are not authorized.", "warning")
return redirect("/login")
else:
logging.debug("No whitelist for OAuth provider")
user = self.appbuilder.sm.auth_user_oauth(userinfo)
if user is None:
flash(as_unicode(self.invalid_login_message), "warning")
return redirect("/login")
login_user(user)
# handle custom redirection
# first try redirection via a request arg
redirect_url = request.args.get("redirect_url")
# if we dont yet have a direct url, try and get it from configs
if not redirect_url:
redirect_url = self.appbuilder.sm.get_oauth_redirect_url(provider)
# if we have it, do the redirection
if redirect_url:
# check if the url is safe for redirects.
if not is_safe_url(redirect_url):
return abort(400)
return redirect(redirect_url)
return redirect(self.appbuilder.get_url_for_index)
def login(self, provider=None, register=None):
"""The login view from AuthOAuthView"""
logging.debug(f"Provider: {provider}")
# handle redirect
redirect_url = self.appbuilder.get_url_for_index
if request.args.get('redirect_url') is not None:
redirect_url = request.args.get('redirect_url')
if not is_safe_url(redirect_url):
return abort(400)
if g.user is not None and g.user.is_authenticated:
logging.debug(f"Already authenticated {g.user}")
return redirect(redirect_url)
if provider is None:
return self.render_template(
self.login_template,
providers=self.appbuilder.sm.oauth_providers,
title=self.title,
appbuilder=self.appbuilder,
)
logging.debug(f"Going to call authorize for: {provider}")
state = self.generate_state()
try:
scheme = self.appbuilder.app.config.get('PREFERRED_URL_SCHEME',
'https')
if register:
logging.debug("Login to Register")
session["register"] = True
if provider == "twitter":
return self.appbuilder.sm.oauth_remotes[
provider].authorize_redirect(redirect_uri=url_for(
".oauth_authorized",
provider=provider,
_external=True,
_scheme=scheme,
state=state,
))
callback = url_for(".oauth_authorized",
provider=provider,
_external=True,
_scheme=scheme)
return self.appbuilder.sm.oauth_remotes[
provider].authorize_redirect(redirect_uri=callback, )
except Exception as err: # pylint: disable=broad-except
logging.error(f"Error on OAuth authorize: {err}")
flash(as_unicode(self.invalid_login_message), "warning")
return redirect(redirect_url)
def login_init(self, provider=None):
logging.debug(f"Provider: {provider}")
if g.user is not None and g.user.is_authenticated:
logging.debug(
f"Provider {provider} is already authenticated by {g.user}")
return make_response(jsonify(isAuthorized=True))
redirect_url = request.args.get("redirect_url")
if not redirect_url or not is_safe_url(redirect_url):
logging.debug(f"The arg redirect_url not found or not safe")
return abort(400)
logging.debug(
f"Initialization of authorization process for: {provider}")
# libraries assume that 'redirect_url' should be available in the session
session['%s_oauthredir' % provider] = redirect_url
state = self.generateState()
return make_response(jsonify(isAuthorized=False, state=state))