def authenticate(self, *args, **kwargs):
"""Authenticate user using social credentials
Authentication is made if this is the correct backend, backend
verification is made by kwargs inspection for current backend
name presence.
"""
# Validate backend and arguments. Require that the Social Auth
# response be passed in as a keyword argument, to make sure we
# don't match the username/password calling conventions of
# authenticate.
if 'backend' not in kwargs or kwargs['backend'].name != self.name or \
'strategy' not in kwargs or 'response' not in kwargs:
return None
self.strategy = self.strategy or kwargs.get('strategy')
self.redirect_uri = self.redirect_uri or kwargs.get('redirect_uri')
self.data = self.strategy.request_data()
pipeline = self.strategy.get_pipeline()
if 'pipeline_index' in kwargs:
return self.pipeline(pipeline[kwargs['pipeline_index']:], *args,
**kwargs)
else:
details = self.get_user_details(kwargs['response'])
uid = self.get_user_id(details, kwargs['response'])
if not self.auth_allowed(kwargs['response'], details):
raise AuthForbidden(self)
return self.pipeline(pipeline,
details=details,
uid=uid,
is_new=False,
*args,
**kwargs)
def verify_open(strategy, backend, user=None, **kwargs):
'''
Checks whether it is possible to create new user.
'''
if not user and not appsettings.REGISTRATION_OPEN:
raise AuthForbidden(backend)
def soc_auth_allowed(backend, details, response, *args, **kwargs):
soc_user = auth_allowed(response, details)
if not soc_user:
raise AuthForbidden(backend)
else:
return {'user': soc_user}
def ggv_social_user(backend, uid, user=None, *args, **kwargs):
"""
Previous pipeline op, ggv_auth_allowed, should prevent a null user but
checking here, again, just in case.
The effect of this op is that a social association is set. If social association
is None, the pipeline will create a new social association to the ggv user object.
Subsequent (non overridden pipeline ops) will process as designed, based on the social and user
variables being initialized with values.
"""
if user:
provider = backend.name
social = backend.strategy.storage.user.get_social_auth(provider, uid)
# print 'ggv_social_user=>', social
if not social: # user has not logged in previously (e.g., no social auth obj exists) -- make their account active.
user.is_active = True
user.save()
else:
# print 'ggv_social_user=>', user
raise AuthForbidden(backend)
return {
'social': social,
'user': user,
'is_new': user is None,
'new_association': False
}
def _check_entitlements(self, idp, attributes):
"""
Check if we require the presence of any specific eduPersonEntitlement.
raise AuthForbidden if the user should not be authenticated, or do nothing
to allow the login pipeline to continue.
"""
if "requiredEntitlements" in idp.conf:
entitlements = attributes.get(OID_EDU_PERSON_ENTITLEMENT, [])
for expected in idp.conf['requiredEntitlements']:
if expected not in entitlements:
log.warning(
"SAML user from IdP %s rejected due to missing eduPersonEntitlement %s", idp.name, expected)
raise AuthForbidden(self)
def soc_social_user(backend, uid, user=None, *args, **kwargs):
if user:
provider = backend.name
social = backend.strategy.storage.user.get_social_auth(provider, uid)
if not social: # user has not logged in previously (e.g., no social auth obj exists) -- make their account active.
user.is_active = True
else:
raise AuthForbidden(backend)
return {
'social': social,
'user': user,
'is_new': user is None,
'new_association': False
}
def user_data(self, access_token, *args, **kwargs):
"""Return user data provided"""
emails = self._get_emails(access_token)
email = None
for address in reversed(emails['values']):
email = address['email']
if address['is_primary']:
break
if self.setting('VERIFIED_EMAILS_ONLY', False) and \
not address['is_confirmed']:
raise AuthForbidden(self,
'Bitbucket account has no verified email')
user = self._get_user(access_token)
if email:
user['email'] = email
return user
def user_data(self, access_token):
"""Return user data provided"""
# Bitbucket has a bit of an indirect route to obtain user data from an
# authenticated query: First obtain the user's email via an
# authenticated GET, then retrieve the user's primary email address or
# the top email
emails = self.get_json('https://bitbucket.org/api/1.0/emails/',
auth=self.oauth_auth(access_token))
email = None
for address in reversed(emails):
if address['active']:
email = address['email']
if address['primary']:
break
if email:
return dict(self.get_json('https://bitbucket.org/api/1.0/users/' +
email)['user'],
email=email)
elif self.setting('VERIFIED_EMAILS_ONLY', False):
raise AuthForbidden(self,
'Bitbucket account has any verified email')
else:
return {}
def auth_allowed(backend, details, response, *args, **kwargs):
if not backend.auth_allowed(response, details):
raise AuthForbidden(backend)
def auth_allowed(strategy, details, response, *args, **kwargs):
if not strategy.backend.auth_allowed(response, details):
raise AuthForbidden(strategy.backend)
def email_check(strategy, details, *args, **kwargs):
mail = str(details.get('email'))
if not mail.endswith('@eng.src.ku.ac.th'):
raise AuthForbidden(kwargs.get('backend'))
def email_allowed(backend, details, response, *args, **kwargs):
email = response['emails'][0]['value']
at_position = email.find('@')
if not email[at_position + 1:] == 'iith.ac.in':
raise AuthForbidden(backend)
