def inner(request, *args, **kwargs):
"""
Check for a TPA hint in combination with a logged in user, and log the user out
if the hinted provider specifies that they should be, and if they haven't already
been redirected to a logout by this decorator.
"""
sso_provider = None
provider_id = request.GET.get('tpa_hint')
decorator_already_processed = request.GET.get(
'session_cleared') == 'yes'
if provider_id and not decorator_already_processed:
# Check that there is a provider and that we haven't already processed this view.
if request.user and request.user.is_authenticated():
try:
sso_provider = Registry.get(provider_id=provider_id)
except ValueError:
sso_provider = None
if sso_provider and sso_provider.drop_existing_session:
# Do the redirect only if the configured provider says we ought to.
return redirect('{}?{}'.format(
request.build_absolute_uri(reverse('logout')),
urlencode({
'redirect_url':
'{}?{}'.format(
request.path,
urlencode([('tpa_hint', provider_id),
('session_cleared', 'yes')]))
})))
else:
# Otherwise, pass everything through to the wrapped view.
return func(request, *args, **kwargs)
def get_queryset(self):
provider_id = self.kwargs.get('provider_id')
# provider existence checking
self.provider = Registry.get(provider_id)
if not self.provider:
raise Http404
query_set = filter_user_social_auth_queryset_by_provider(
UserSocialAuth.objects.select_related('user'),
self.provider,
)
query = Q()
usernames = self.request.query_params.getlist('username', None)
remote_ids = self.request.query_params.getlist('remote_id', None)
if usernames:
usernames = ','.join(usernames)
usernames = set(usernames.split(',')) if usernames else set()
if usernames:
query = query | Q(user__username__in=usernames)
if remote_ids:
remote_ids = ','.join(remote_ids)
remote_ids = set(remote_ids.split(',')) if remote_ids else set()
if remote_ids:
query = query | Q(uid__in=[
self.provider.get_social_auth_uid(remote_id)
for remote_id in remote_ids
])
return query_set.filter(query)
def get_identity_provider(provider_id):
"""
Get Identity Provider with given id.
Raises a ValueError if it third_party_auth app is not available.
Return:
Instance of ProviderConfig or None.
"""
return Registry and Registry.get(provider_id)
def get_identity_provider(provider_id):
"""
Get Identity Provider with given id.
Return:
Instance of ProviderConfig or None.
"""
try:
return Registry and Registry.get(provider_id)
except ValueError:
return None
def get_queryset(self):
provider_id = self.kwargs.get('provider_id')
# permission checking. We allow both API_KEY access and OAuth2 client credential access
if not (self.request.user.is_superuser
or ApiKeyHeaderPermission().has_permission(self.request, self)
or ThirdPartyAuthProviderApiPermission(
provider_id).has_permission(self.request, self)):
raise exceptions.PermissionDenied()
# provider existence checking
self.provider = Registry.get(provider_id)
if not self.provider:
raise Http404
query_set = UserSocialAuth.objects.select_related('user').filter(
provider=self.provider.backend_name)
# build our query filters
# When using multi-IdP backend, we only retrieve the ones that are for current IdP.
# test if the current provider has a slug
uid = self.provider.get_social_auth_uid('uid')
if uid != 'uid':
# if yes, we add a filter for the slug on uid column
query_set = query_set.filter(uid__startswith=uid[:-3])
query = Q()
usernames = self.request.query_params.getlist('username', None)
remote_ids = self.request.query_params.getlist('remote_id', None)
if usernames:
usernames = ','.join(usernames)
usernames = set(usernames.split(',')) if usernames else set()
if usernames:
query = query | Q(user__username__in=usernames)
if remote_ids:
remote_ids = ','.join(remote_ids)
remote_ids = set(remote_ids.split(',')) if remote_ids else set()
if remote_ids:
query = query | Q(uid__in=[
self.provider.get_social_auth_uid(remote_id)
for remote_id in remote_ids
])
return query_set.filter(query)
def get_identity_provider(provider_id):
"""
Get Identity Provider with given id.
Return:
Instance of ProviderConfig or None.
"""
try:
from third_party_auth.provider import Registry # pylint: disable=redefined-outer-name
except ImportError as exception:
LOGGER.warning("Could not import Registry from third_party_auth.provider")
LOGGER.warning(exception)
Registry = None # pylint: disable=redefined-outer-name
try:
return Registry and Registry.get(provider_id)
except ValueError:
return None
def get_queryset(self):
provider_id = self.kwargs.get('provider_id')
# permission checking. We allow both API_KEY access and OAuth2 client credential access
if not (
self.request.user.is_superuser or ApiKeyHeaderPermission().has_permission(self.request, self) or
ThirdPartyAuthProviderApiPermission(provider_id).has_permission(self.request, self)
):
raise exceptions.PermissionDenied()
# provider existence checking
self.provider = Registry.get(provider_id)
if not self.provider:
raise Http404
query_set = UserSocialAuth.objects.select_related('user').filter(provider=self.provider.backend_name)
# build our query filters
# When using multi-IdP backend, we only retrieve the ones that are for current IdP.
# test if the current provider has a slug
uid = self.provider.get_social_auth_uid('uid')
if uid != 'uid':
# if yes, we add a filter for the slug on uid column
query_set = query_set.filter(uid__startswith=uid[:-3])
query = Q()
usernames = self.request.query_params.getlist('username', None)
remote_ids = self.request.query_params.getlist('remote_id', None)
if usernames:
usernames = ','.join(usernames)
usernames = set(usernames.split(',')) if usernames else set()
if usernames:
query = query | Q(user__username__in=usernames)
if remote_ids:
remote_ids = ','.join(remote_ids)
remote_ids = set(remote_ids.split(',')) if remote_ids else set()
if remote_ids:
query = query | Q(uid__in=[self.provider.get_social_auth_uid(remote_id) for remote_id in remote_ids])
return query_set.filter(query)
def handle(self, *args, **options):
provider_slug = options.get('provider_slug', None)
try:
provider = Registry.get(provider_slug)
except ValueError as e:
raise CommandError('provider slug {slug} does not exist'.format(slug=provider_slug))
query_set = UserSocialAuth.objects.select_related('user__profile')
query_set = filter_user_social_auth_queryset_by_provider(query_set, provider)
query_set = self.filter_user_social_auth_queryset_by_ssoverification_existence(query_set)
for user_social_auth in query_set:
verification = SSOVerification.objects.create(
user=user_social_auth.user,
status="approved",
name=user_social_auth.user.profile.name,
identity_provider_type=provider.full_class_name,
identity_provider_slug=provider.slug,
)
# Send a signal so users who have already passed their courses receive credit
verification.send_approval_signal(provider.slug)
def inner(request, *args, **kwargs):
"""
Check for a TPA hint in combination with a logged in user, and log the user out
if the hinted provider specifies that they should be, and if they haven't already
been redirected to a logout by this decorator.
"""
sso_provider = None
provider_id = request.GET.get('tpa_hint')
decorator_already_processed = request.GET.get('session_cleared') == 'yes'
if provider_id and not decorator_already_processed:
# Check that there is a provider and that we haven't already processed this view.
if request.user and request.user.is_authenticated():
try:
sso_provider = Registry.get(provider_id=provider_id)
except ValueError:
sso_provider = None
if sso_provider and sso_provider.drop_existing_session:
# Do the redirect only if the configured provider says we ought to.
return redirect(
'{}?{}'.format(
request.build_absolute_uri(reverse('logout')),
urlencode(
{
'redirect_url': '{}?{}'.format(
request.path,
urlencode(
[
('tpa_hint', provider_id),
('session_cleared', 'yes')
]
)
)
}
)
)
)
else:
# Otherwise, pass everything through to the wrapped view.
return func(request, *args, **kwargs)
def get_queryset(self):
provider_id = self.kwargs.get('provider_id')
# provider existence checking
self.provider = Registry.get(provider_id)
if not self.provider:
raise Http404
query_set = UserSocialAuth.objects.select_related('user').filter(
provider=self.provider.backend_name)
# build our query filters
# When using multi-IdP backend, we only retrieve the ones that are for current IdP.
# test if the current provider has a slug
uid = self.provider.get_social_auth_uid('uid')
if uid != 'uid':
# if yes, we add a filter for the slug on uid column
query_set = query_set.filter(uid__startswith=uid[:-3])
query = Q()
usernames = self.request.query_params.getlist('username', None)
remote_ids = self.request.query_params.getlist('remote_id', None)
if usernames:
usernames = ','.join(usernames)
usernames = set(usernames.split(',')) if usernames else set()
if usernames:
query = query | Q(user__username__in=usernames)
if remote_ids:
remote_ids = ','.join(remote_ids)
remote_ids = set(remote_ids.split(',')) if remote_ids else set()
if remote_ids:
query = query | Q(uid__in=[
self.provider.get_social_auth_uid(remote_id)
for remote_id in remote_ids
])
return query_set.filter(query)
