def send_account_confirmation(**kwargs):
if not kwargs.get('email'):
return
email = kwargs['email']
source = kwargs['source']
expires_seconds = getattr(settings, 'AUTH_TIMEOUT_SECONDS', 7 * 86400)
payload = kwargs.copy()
payload['nonce'] = ''.join(
random.choice(string.ascii_uppercase)
for _ in range(random.randint(20, 30)))
payload = json.dumps(payload)
authcode = encrypt_authcode(payload, expires_seconds=expires_seconds)
confirmation_url = "{origin}{path}".format(
origin=OriginSetting.HTTP,
path=reverse('v2_api_account_confirm',
kwargs=dict(authcode=authcode)),
)
if source:
confirmation_url = set_url_query_params(confirmation_url,
source=source)
get_adapter().send_mail(
'account/email/email_confirmation_signup', email, {
'HTTP_ORIGIN': settings.HTTP_ORIGIN,
'STATIC_URL': settings.STATIC_URL,
'MEDIA_URL': settings.MEDIA_URL,
'activate_url': confirmation_url,
'email': email,
})
def auto_provision(request, email, first_name, last_name, config):
# Get/Create account and redirect with token or with error message
saml2_account = Saml2Account.objects.filter(uuid=email,
config=config).first()
if saml2_account:
return redirect(redirect_user_to_login(saml2_account.user))
try:
existing_email = CachedEmailAddress.cached.get(email=email)
if not existing_email.verified:
# Email exists but is not verified, auto-provision account and log in
new_account = saml2_new_account(email, config, first_name,
last_name, request)
return redirect(redirect_user_to_login(new_account))
elif existing_email.verified:
# Email exists and is already verified
return redirect(
set_url_query_params(
reverse('saml2_emailexists'),
email=base64.urlsafe_b64encode(
email.encode('utf-8')).decode('utf-8')))
except CachedEmailAddress.DoesNotExist:
provision_data = json.dumps({
'first_name': first_name,
'last_name': last_name,
'email': email,
'idp_name': config.slug # TODO: actual property
})
return redirect(
set_url_query_params(
reverse('saml2_provision'),
request_id=encrypt_authcode(provision_data),
))
def auto_provision(request, emails, first_name, last_name, config):
# Get/Create account and redirect with token or with error message
try:
saml2_account = Saml2Account.objects.filter(uuid__in=emails,
config=config).first()
except Saml2Account.MultipleObjectsReturned:
return redirect(
reverse('saml2_failure',
kwargs=dict(authError="Multiple SAML accounts found.")))
if saml2_account:
if CachedEmailAddress.objects.exclude(user=saml2_account.user).filter(
email__in=emails).count() > 0:
return redirect(
reverse(
'saml2_failure',
kwargs=dict(
authError="Multiple accounts using provided emails.")))
existing_emails = CachedEmailAddress.objects.filter(
user=saml2_account.user).values_list('email', flat=True)
processed_emails = [ee.lower() for ee in existing_emails]
unused = [e for e in emails if e.lower() not in processed_emails]
for e in unused:
CachedEmailAddress.objects.create(email=e,
user=saml2_account.user,
verified=True)
return redirect(redirect_user_to_login(saml2_account.user))
# Check if any/all of the claimed emails already exist as verified
claimed_emails = CachedEmailAddress.cached.filter(email__in=emails,
verified=True)
if claimed_emails.count() > 0:
# If at least one is already verified, grab the first one and redirect with error
email = claimed_emails.first().email
return redirect(
set_url_query_params(reverse('saml2_emailexists'),
email=base64.urlsafe_b64encode(
email.encode('utf-8')).decode('utf-8')))
existing_email = CachedEmailAddress.cached.filter(email__in=emails).first()
if existing_email:
# An email exists but is not verified, auto-provision account and log in
new_account = saml2_new_account(emails, config, first_name, last_name,
request)
return redirect(redirect_user_to_login(new_account))
else:
provision_data = json.dumps({
'first_name': first_name,
'last_name': last_name,
'emails': emails,
'idp_name': config.slug # TODO: actual property
})
return redirect(
set_url_query_params(
reverse('saml2_provision'),
request_id=encrypt_authcode(provision_data),
))
def send_account_confirmation(**kwargs):
if not kwargs.get('email'):
return
email = kwargs['email']
expires_seconds = getattr(settings, 'AUTH_TIMEOUT_SECONDS', 7 * 86400)
payload = kwargs.copy()
payload['nonce'] = b''.join(random.choice(string.ascii_uppercase) for _ in range(random.randint(20, 30)))
payload = json.dumps(payload)
authcode = encrypt_authcode(payload, expires_seconds=expires_seconds)
confirmation_url = "{origin}{path}".format(
origin=OriginSetting.HTTP,
path=reverse('v2_api_account_confirm', kwargs=dict(authcode=authcode)),
)
get_adapter().send_mail('account/email/email_confirmation_signup', email, {
'HTTP_ORIGIN': settings.HTTP_ORIGIN,
'STATIC_URL': settings.STATIC_URL,
'MEDIA_URL': settings.MEDIA_URL,
'activate_url': confirmation_url,
'email': email,
})
def test_can_encrypt_decrypt_authcode(self):
payload = "fakeentityid"
code = encrypt_authcode(payload)
decrypted_payload = decrypt_authcode(code)
self.assertEqual(payload, decrypted_payload)
def test_can_encrypt_decrypt_authcode(self):
payload = "fakeentityid"
code = encrypt_authcode(payload)
decrypted_payload = decrypt_authcode(code)
self.assertEqual(payload, decrypted_payload)