def slo(self):
"""
Revokes the delivered access token. Logs out the user
"""
if not request.referer or request.host not in request.referer:
redirect_to('/')
g = model.Group.get(session['organization_id'])
org_url = url_for(host=request.host,
controller='organization',
action='read',
id=g.name,
qualified=True)
org_url = str(org_url)
if toolkit.c.user:
client = Clients.get_client(g)
logout_url = client.end_session_endpoint
redirect_uri = org_url + '/logout'
# revoke the access token
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = 'token=' + session.get('access_token')
data += '&token_type_hint=access_token'
client.http_request(client.revocation_endpoint, 'POST',
data=data, headers=headers)
# redirect to IDP logout
logout_url += '?id_token_hint=%s&' % session.get('id_token')
logout_url += 'post_logout_redirect_uri=%s' % redirect_uri
redirect_to(str(logout_url))
redirect_to(org_url)
def slo():
"""
Revokes the delivered access token. Logs out the user
"""
if not request.referrer or request.host not in request.referrer:
return redirect_to('/')
log.info('Preparing to logging out: %s' % c.user)
g = model.Group.get(session['organization_id'])
org_url = url_for(host=request.host,
controller='organization',
action='read',
id=g.name,
qualified=True)
org_url = str(org_url)
if c.user:
client = Clients.get_client(g)
logout_url = client.end_session_endpoint
redirect_uri = org_url + '/logout'
# revoke the access token (https://doc.ozwillo.com/#1-revoke-known-tokens)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = 'token=' + session.get('access_token')
data += '&token_type_hint=access_token'
client.http_request(client.revocation_endpoint,
'POST',
data=data,
headers=headers)
# Invalidate the local session (https://doc.ozwillo.com/#2-invalidate-the-applications-local-session)
id_token = session.get('id_token')
session.invalidate()
c.user = None
c.userobj = None
response = Response()
for cookie in request.cookies:
response.delete_cookie(cookie)
# redirect to IDP logout (https://doc.ozwillo.com/#3-single-sign-out)
logout_url += '?id_token_hint=%s&' % id_token
logout_url += 'post_logout_redirect_uri=%s' % redirect_uri
log.info('Redirecting user to: %s' % logout_url)
return redirect_to(str(logout_url))
return redirect_to(org_url)
def send_user_message(self):
body = {}
try:
request_body = json.loads(request.body)
except Exception:
# Didn't get appropriate JSON format
bot_response = "Inappropriate body format - body must be application/json"
logger.info(bot_response)
body["bot"] = bot_response
body["error"] = True
response.body = json.dumps(body)
return
if not session.get("sender_id"):
session["sender_id"] = session.id
session.save()
sender_id = session["sender_id"]
message = request_body["text"]
version_connector = VersionConnector()
if not version_connector.query_rasa():
body["bot"] = ["Rasa server is down"]
body["error"] = True
else:
bot_response = self.rasa_handle_message(message, sender_id) # Returns a list of responses
if not bot_response:
body["error"] = True
bot_response ={
"type": "string",
"data" : "DataBot didn't get any response. DataBot server is probably down."
}
body["bot"] = bot_response
response.body = json.dumps(body)
return
def _allow_caching(cache_force: Optional[bool] = None):
# Caching Logic
allow_cache = True
# Force cache or not if explicit.
if cache_force is not None:
allow_cache = cache_force
# Do not allow caching of pages for logged in users/flash messages etc.
elif ('user' in g and g.user) or _is_valid_session_cookie_data():
allow_cache = False
# Tests etc.
elif session.get("_user_id"):
allow_cache = False
# Don't cache if based on a non-cachable template used in this.
elif request.environ.get('__no_cache__'):
allow_cache = False
# Don't cache if we have set the __no_cache__ param in the query string.
elif request.args.get('__no_cache__'):
allow_cache = False
# Don't cache if caching is not enabled in config
elif not config.get_value('ckan.cache_enabled'):
allow_cache = False
if not allow_cache:
# Prevent any further rendering from being cached.
request.environ['__no_cache__'] = True
def callback(id):
# Blueprints act strangely after user is logged in once. It will skip
# SSO and user/login when trying to log in from different account and
# directly get here. This is a workaround to force login user if not
# redirected from loging page (as it sets important values in session)
if not session.get('from_login'):
return sso(id)
session['from_login'] = False
g_ = model.Group.get(session.get('organization_id', id))
client = Clients.get_client(g_)
org_url = str(url_for(controller="organization", action='read',
id=g_.name))
try:
# Grab state from query parameter if session does not have it
session['state'] = session.get('state', request.params.get('state'))
userinfo, app_admin, app_user, access_token, id_token \
= client.callback(session['state'], request.args )
session['access_token'] = access_token
session['id_token'] = id_token
session.save()
except OIDCError, e:
flash_error('Login failed')
return redirect_to(org_url, qualified=True)
def identify(self):
'''Implementiation of IAuthenticator.identify
Identify which user (if any) is logged in via this plugin
'''
# FIXME: This breaks if the current user changes their own user name.
user = session.get(u'ckanext-ldap-user')
if user:
toolkit.c.user = user
else:
# add the 'user' attribute to the context to avoid issue #4247
toolkit.c.user = None
def logged_out(self):
"""
Accounts came_from. If specified, logs out of ckan only. If not specified, logs out of both ckan and wotkit.
"""
# we need to get our language info back and the show the correct page
lang = session.get('lang')
came_from = session.get('logout_came_from')
log.debug("came from: " + str(came_from))
c.user = None
session.delete()
if came_from:
# extract came_from and construct new came from before redirecting
(next_redirect_url, comma, remaining_came_from) = came_from.partition(',')
if remaining_came_from:
redirect_url = next_redirect_url + "?came_from=" + remaining_came_from
else:
redirect_url = next_redirect_url
log.debug("redirecting logout to: " + redirect_url)
routes.redirect_to(str(redirect_url))
else:
# redirect user to logout url
url = config_globals.get_logout_success_url()
routes.redirect_to(str(url))
def slo():
"""
Revokes the delivered access token. Logs out the user
"""
if not request.referrer or request.host not in request.referrer:
return redirect_to('/')
g = model.Group.get(session['organization_id'])
org_url = url_for(host=request.host,
controller='organization',
action='read',
id=g.name,
qualified=True)
org_url = str(org_url)
if c.user:
client = Clients.get_client(g)
logout_url = client.end_session_endpoint
redirect_uri = org_url + '/logout'
# revoke the access token
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = 'token=' + session.get('access_token')
data += '&token_type_hint=access_token'
client.http_request(client.revocation_endpoint,
'POST',
data=data,
headers=headers)
# redirect to IDP logout
logout_url += '?id_token_hint=%s&' % session.get('id_token')
logout_url += 'post_logout_redirect_uri=%s' % redirect_uri
return redirect_to(str(logout_url))
return redirect_to(org_url)
def logout(self):
log.info('Logging out user: %s' % session.get('user'))
response = Response()
session['user'] = None
session.save()
g = model.Group.get(session['organization_id'])
for cookie in request.cookies:
response.delete_cookie(cookie)
if g:
org_url = url_for(host=request.host,
controller='organization',
action='read',
id=g.name,
qualified=True)
redirect_to(str(org_url))
else:
redirect_to('/')
def identify(self):
user_ckan = session.get('ckanext-google-user')
if user_ckan:
c.user = user_ckan
def identify(self):
user = session.get('user')
if user and not getattr(c, 'userobj', None):
userobj = model.User.get(user)
c.user = userobj.name
c.userobj = userobj
def logged_out(self):
# we need to get our language info back and the show the correct page
lang = session.get('lang')
c.user = None
session.delete()
h.redirect_to(locale=lang, controller='user', action='logged_out_page')
def identify(self):
user = session.get('user')
if user and not toolkit.c.userobj:
userobj = model.User.get(user)
toolkit.c.user = userobj.name
toolkit.c.userobj = userobj
def identify(self):
user = session.get('openid-user')
if user:
toolkit.c.user = user
def logged_out(self):
# we need to get our language info back and the show the correct page
lang = session.get('lang')
c.user = None
session.delete()
h.redirect_to(locale=lang, controller='user', action='logged_out_page')
def identify(self):
user = session.get('user')
if user and not toolkit.c.userobj:
userobj = model.User.get(user)
toolkit.c.user = userobj.name
toolkit.c.userobj = userobj
def callback(id):
'''
OID callback.
If it fails (OIDCError), if the session has NOT been marked as been in the
context of a login_to_org() call (rather than only an sso() one), tries to
sso() to the organization with the next id in the order of the
ozwillo_global_login_organization_names property if configured (by calling
try_sso_next_login_org()) ; else displays a specific message ("not member
of this org", rather than "Login Failed")
'''
# Blueprint act strangely after user is logged in once. It will skip
# SSO and user/login when trying to log in from different account and
# directly get here. This is a workaround to force login user if not
# redirected from loging page (as it sets important values in session)
if not session.get('from_login'):
return sso(id)
from_login = session['from_login']
session['from_login'] = False
g_ = model.Group.get(session.get('organization_id', id))
client = Clients.get_client(g_)
org_url = str(url_for(controller="organization", action='read',
id=g_.name))
try:
# Grab state from query parameter if session does not have it
session['state'] = session.get('state', request.params.get('state'))
userinfo, app_admin, app_user, access_token, id_token \
= client.callback(session['state'], request.args)
session['access_token'] = access_token
session['id_token'] = id_token
session.save()
except OIDCError as e:
is_login_to_org = 'is_login_to_org' in session and session[
'is_login_to_org']
log.info('OIDCError is_login_to_org', is_login_to_org, e, session)
# reinit for next time :
session['is_login_to_org'] = False
session.save()
log.info('OIDCError is_login_to_org', is_login_to_org, e, session)
if not is_login_to_org:
sso_ok = try_sso_next_login_org(id)
if sso_ok:
return sso_ok
flash_error("Login failed" if not is_login_to_org else
"Vous n'êtes pas membre de cette organisation")
return redirect_to(org_url, qualified=True)
locale = None
log.info('Received userinfo: %s' % userinfo)
if 'locale' in userinfo:
locale = userinfo.get('locale', '')
if '-' in locale:
locale, country = locale.split('-')
org_url = str(url_for(org_url, locale=locale, qualified=True))
if 'sub' in userinfo:
userobj = model.User.get(userinfo['sub'])
if not userobj:
user_dict = {
'id': userinfo['sub'],
'name': userinfo['sub'].replace('-', ''),
'email': userinfo['email'],
'password': userinfo['sub']
}
context = {
'ignore_auth': True,
'model': model,
'session': model.Session
}
user_create(context, user_dict)
userobj = model.User.get(userinfo['sub'])
if app_admin or app_user:
member_dict = {
'id': g_.id,
'object': userinfo['sub'],
'object_type': 'user',
'capacity': 'admin',
}
member_create_context = {
'model': model,
'user': userobj.name,
'ignore_auth': True,
'session': session
}
member_create(member_create_context, member_dict)
if 'given_name' in userinfo:
userobj.fullname = userinfo['given_name']
if 'family_name' in userinfo:
userobj.fullname += ' ' + userinfo['family_name']
userobj.save()
if 'nickname' in userinfo:
userobj.name = userinfo['nickname']
try:
userobj.save()
except Exception as e:
log.warning('Error while saving user name: %s' % e)
session['user'] = userobj.id
session.save()
return redirect_to(org_url)
