def saml():
if "saml" not in syllabus.get_config()['authentication_methods']:
abort(404)
req = prepare_request(request)
req['request_uri'] = request.path # hack to ensure to have the correct path and to avoid RelayState loops
auth = init_saml_auth(req, saml_config)
# if 'sso' in request.args:
# return
if request.method == "GET":
return redirect(auth.login())
else:
auth.process_response()
errors = auth.get_errors()
# Try and check if IdP is using several signature certificates
# This is a limitation of python3-saml
for cert in saml_config["idp"].get("additionalX509certs", []):
if auth.get_last_error_reason(
) == "Signature validation failed. SAML Response rejected":
import copy
# Change used IdP certificate
new_settings = copy.deepcopy(saml_config)
new_settings["idp"]["x509cert"] = cert
# Retry processing response
auth = init_saml_auth(req, new_settings)
auth.process_response()
errors = auth.get_errors()
if len(errors) == 0:
attrs = auth.get_attributes()
# session['samlNameId'] = auth.get_nameid()
# session['samlSessionIndex'] = auth.get_session_index()
username = attrs[saml_config['sp']['attrs']['username']][0]
realname = attrs[saml_config['sp']['attrs']['realname']][0]
email = attrs[saml_config['sp']['attrs']['email']][0]
user = User.query.filter(User.email == email).first()
if user is None: # The user does not exist in our DB
user = User(name=username,
full_name=realname,
email=email,
hash_password=None,
change_password_url=None)
db_session.add(user)
db_session.commit()
session["user"] = user.to_dict()
session["user"].update({"login_method": "saml"})
self_url = OneLogin_Saml2_Utils.get_self_url(req)
if 'RelayState' in request.form and self_url != request.form[
'RelayState']:
return redirect(auth.redirect_to(request.form['RelayState']))
return seeother("/")
def users():
if request.method == 'POST':
inpt = request.form
if inpt["action"] == "change_right":
user = User.query.filter(User.username == inpt["username"]).first()
if user.username == session["user"]["username"]:
return seeother(request.path)
user.right = "admin" if "admin" in inpt and inpt["admin"] == "on" else None
db_session.commit()
return seeother(request.path, SuccessFeedback("The rights of %s have been successfully edited" % user.username))
return seeother(request.path)
try:
return render_template('users.html', active_element=sidebar['active_element'],
sidebar_elements=sidebar['elements'], users=User.query.all(),
feedback=pop_feeback(session))
except TemplateNotFound:
abort(404)
def reset_password(secret):
user = db_session.query(User).filter(User.change_password_url == secret).first()
if user is None:
# TODO: log
return seeother("/")
if request.method == "GET":
return render_template("reset_password.html", alert_hidden=True)
if request.method == "POST":
inpt = request.form
password = inpt["password"]
password_confirm = inpt["password_confirm"]
if password != password_confirm:
return render_template("reset_password.html", alert_hidden=False)
password_hash = hash_password(password.encode("utf-8"))
user.hash_password = password_hash
user.change_password_url = None
db_session.commit()
return seeother("/login")
def saml():
if "saml" not in syllabus.get_config()['authentication_methods']:
abort(404)
req = prepare_request(request)
req['request_uri'] = request.path # hack to ensure to have the correct path and to avoid RelayState loops
auth = init_saml_auth(req, saml_config)
# if 'sso' in request.args:
# return
if request.method == "GET":
return redirect(auth.login())
elif 'acs' in request.args:
auth.process_response()
errors = auth.get_errors()
if len(errors) == 0:
attrs = auth.get_attributes()
# session['samlNameId'] = auth.get_nameid()
# session['samlSessionIndex'] = auth.get_session_index()
username = attrs[saml_config['sp']['attrs']['username']][0]
realname = attrs[saml_config['sp']['attrs']['realname']][0]
email = attrs[saml_config['sp']['attrs']['email']][0]
user = User.query.filter(User.email == email).first()
if user is None: # The user does not exist in our DB
user = User(name=username,
full_name=realname,
email=email,
hash_password=None,
change_password_url=None)
db_session.add(user)
db_session.commit()
session["user"] = user.to_dict()
session["user"].update({"login_method": "saml"})
self_url = OneLogin_Saml2_Utils.get_self_url(req)
if 'RelayState' in request.form and self_url != request.form[
'RelayState']:
return redirect(auth.redirect_to(request.form['RelayState']))
return seeother("/")
def reset_password(secret):
user = db_session.query(User).filter(User.change_password_url == secret).first()
if user is None:
# TODO: log
return seeother("/")
if request.method == "GET":
return render_template("reset_password.html", alert_hidden=True)
if request.method == "POST":
inpt = request.form
password = inpt["password"]
password_confirm = inpt["password_confirm"]
if password != password_confirm:
return render_template("reset_password.html", alert_hidden=False)
password_hash = hash_password_func(email=user.email, password=password,
global_salt=syllabus.get_config().get('password_salt', None),
n_iterations=syllabus.get_config().get('password_hash_iterations', 100000))
user.hash_password = password_hash
user.change_password_url = None
db_session.commit()
return seeother("/login")