def login(org_slug=None):
index_url = url_for("redash.index", org_slug=org_slug)
next_path = request.args.get('next', index_url)
if not settings.LDAP_LOGIN_ENABLED:
logger.error("Cannot use LDAP for login without being enabled in settings")
return redirect(url_for('redash.index', next=next_path))
if current_user.is_authenticated:
return redirect(next_path)
if request.method == 'POST':
user = auth_ldap_user(request.form['email'], request.form['password'])
if user is not None:
create_and_login_user(current_org, user[settings.LDAP_DISPLAY_NAME_KEY][0], user[settings.LDAP_EMAIL_KEY][0])
return redirect(next_path or url_for('redash.index'))
else:
flash("Incorrect credentials.")
return render_template("login.html",
org_slug=org_slug,
next=next_path,
email=request.form.get('email', ''),
show_password_login=True,
username_prompt=settings.LDAP_CUSTOM_USERNAME_PROMPT,
hide_forgot_password=True)
def login():
next_path = request.args.get('next')
jwt = request.args.get('jwt')
if not settings.JWT_LOGIN_ENABLED:
logger.error("Cannot use jwt for login without being enabled in settings")
return redirect(url_for('redash.index', next=next_path))
auth_server = settings.JWT_AUTH_SERVER
if not auth_server:
logger.error("Cannot use jwt for login when there's no auth server")
return redirect(url_for('redash.index', next=next_path))
try:
logger.error('JWT=={}'.format(jwt))
profile = requests.get(auth_server, data={'jwt':jwt}).json()
if profile is not None and profile.get('authenticated') is True:
profile = profile['profile']
create_and_login_user(current_org, profile['name'], profile['email'])
else:
logger.warning("Failed to verify user with jwt {}".format(jwt))
except Exception as e:
logger.error("Failed to verify jwt: {}".format(e))
return redirect(next_path or url_for('redash.index'), code=302)
def test_creates_vaild_new_user(self):
email = '*****@*****.**'
name = 'Test User'
with patch('redash.authentication.google_oauth.login_user') as login_user_mock:
create_and_login_user(self.factory.org, name, email)
self.assertTrue(login_user_mock.called)
user = models.User.get(models.User.email == email)
def test_creates_vaild_new_user(self):
email = u'*****@*****.**'
name = 'Test User'
with patch('redash.authentication.login_user') as login_user_mock:
create_and_login_user(self.factory.org, name, email)
self.assertTrue(login_user_mock.called)
user = models.User.query.filter(models.User.email == email).one()
self.assertEqual(user.email, email)
def idp_initiated(org_slug=None):
if not current_org.get_setting("auth_saml_enabled"):
logger.error("SAML Login is not enabled")
return redirect(url_for('redash.index', org_slug=org_slug))
saml_client = get_saml_client(current_org)
authn_response = saml_client.parse_authn_request_response(
request.form['SAMLResponse'],
entity.BINDING_HTTP_POST)
authn_response.get_identity()
user_info = authn_response.get_subject()
email = user_info.text
name = "%s %s" % (authn_response.ava['FirstName'][0], authn_response.ava['LastName'][0])
# This is what as known as "Just In Time (JIT) provisioning".
# What that means is that, if a user in a SAML assertion
# isn't in the user store, we create that user first, then log them in
user = create_and_login_user(current_org, name, email)
if 'RedashGroups' in authn_response.ava:
group_names = authn_response.ava.get('RedashGroups')
user.update_group_assignments(group_names)
url = url_for('redash.index', org_slug=org_slug)
return redirect(url)
def idp_initiated():
saml_client = get_saml_client()
authn_response = saml_client.parse_authn_request_response(
request.form['SAMLResponse'],
entity.BINDING_HTTP_POST)
authn_response.get_identity()
user_info = authn_response.get_subject()
email = user_info.text
name = "%s %s" % (authn_response.ava['FirstName'][0], authn_response.ava['LastName'][0])
# This is what as known as "Just In Time (JIT) provisioning".
# What that means is that, if a user in a SAML assertion
# isn't in the user store, we create that user first, then log them in
create_and_login_user(current_org, name, email)
url = url_for('index')
return redirect(url)
def login(org_slug=None):
next_path = request.args.get('next')
if not settings.REMOTE_USER_LOGIN_ENABLED:
logger.error("Cannot use remote user for login without being enabled in settings")
return redirect(url_for('redash.index', next=next_path, org_slug=org_slug))
email = request.headers.get(settings.REMOTE_USER_HEADER)
# Some Apache auth configurations will, stupidly, set (null) instead of a
# falsey value. Special case that here so it Just Works for more installs.
# '(null)' should never really be a value that anyone wants to legitimately
# use as a redash user email.
if email == '(null)':
email = None
if not email:
logger.error("Cannot use remote user for login when it's not provided in the request (looked in headers['" + settings.REMOTE_USER_HEADER + "'])")
return redirect(url_for('redash.index', next=next_path, org_slug=org_slug))
# Check if there is a header of user groups and if yes
# check it against a list of allowed user groups from the settings
if settings.REMOTE_GROUPS_ENABLED:
remote_groups = settings.set_from_string(
request.headers.get(settings.REMOTE_GROUPS_HEADER) or ''
)
allowed_groups = settings.REMOTE_GROUPS_ALLOWED
if not allowed_groups.intersection(remote_groups):
logger.error(
"User groups provided in the %s header are not "
"matching the allowed groups.",
settings.REMOTE_GROUPS_HEADER
)
return redirect(url_for('redash.index', next=next_path))
logger.info("Logging in " + email + " via remote user")
create_and_login_user(current_org, email, email)
return redirect(next_path or url_for('redash.index', org_slug=org_slug), code=302)
def login():
next_path = request.args.get('next')
if not settings.REMOTE_USER_LOGIN_ENABLED:
logger.error("Cannot use remote user for login without being enabled in settings")
return redirect(url_for('redash.index', next=next_path))
email = request.headers.get(settings.REMOTE_USER_HEADER)
# Some Apache auth configurations will, stupidly, set (null) instead of a
# falsey value. Special case that here so it Just Works for more installs.
# '(null)' should never really be a value that anyone wants to legitimately
# use as a redash user email.
if email == '(null)':
email = None
if not email:
logger.error("Cannot use remote user for login when it's not provided in the request (looked in headers['" + settings.REMOTE_USER_HEADER + "'])")
return redirect(url_for('redash.index', next=next_path))
logger.info("Logging in " + email + " via remote user")
create_and_login_user(current_org, email, email)
return redirect(next_path or url_for('redash.index'), code=302)
def idp_initiated():
saml_client = get_saml_client()
authn_response = saml_client.parse_authn_request_response(
request.form['SAMLResponse'], entity.BINDING_HTTP_POST)
authn_response.get_identity()
user_info = authn_response.get_subject()
email = user_info.text
name = "%s %s" % (authn_response.ava['FirstName'][0],
authn_response.ava['LastName'][0])
# This is what as known as "Just In Time (JIT) provisioning".
# What that means is that, if a user in a SAML assertion
# isn't in the user store, we create that user first, then log them in
user = create_and_login_user(current_org, name, email)
if 'RedashGroups' in authn_response.ava:
group_names = authn_response.ava.get('RedashGroups')
user.update_group_assignments(group_names)
url = url_for('redash.index')
return redirect(url)
def test_logins_valid_user(self):
user = self.factory.create_user(email='*****@*****.**')
with patch('redash.authentication.google_oauth.login_user') as login_user_mock:
create_and_login_user(self.factory.org, user.name, user.email)
login_user_mock.assert_called_once_with(user, remember=True)
def test_updates_user_name(self):
user = self.factory.create_user(email='*****@*****.**')
with patch('redash.authentication.login_user') as login_user_mock:
create_and_login_user(self.factory.org, "New Name", user.email)
login_user_mock.assert_called_once_with(user, remember=True)
def test_logins_valid_user(self):
user = self.factory.create_user(email="*****@*****.**")
with patch("redash.authentication.login_user") as login_user_mock:
create_and_login_user(self.factory.org, user.name, user.email)
login_user_mock.assert_called_once_with(user, remember=True)
def test_updates_user_name(self):
user = self.factory.create_user(email=u'*****@*****.**')
with patch('redash.authentication.login_user') as login_user_mock:
create_and_login_user(self.factory.org, "New Name", user.email)
login_user_mock.assert_called_once_with(user, remember=True)
