def default_acs_handler(auth, next_url): """Default ACS handler. :para auth: A :class:`flask_sso_saml.utils.SAMLAuth` instance. :param next_url: String with the next URL to redirect to. :return: Next URL """ if not current_user.is_authenticated: current_app.logger.debug('Metadata received from IdP %s', auth.get_attributes()) _account_info = account_info(auth.get_attributes(), remote_app) current_app.logger.debug('Metadata extracted from IdP %s', _account_info) # TODO: signals? user = account_get_user(_account_info) if user is None: form = create_csrf_disabled_registrationform(remote_app) form = fill_form(form, _account_info['user']) user = account_register(form) # if registration fails ... TODO: signup? if user is None or not account_authenticate(user): abort(401) account_setup(user, _account_info) db.session.commit() next_url = (get_safe_redirect_target(_target=next_url) or current_app.config['SECURITY_POST_LOGIN_VIEW']) return next_url
def _fill_form(app, form, data): """Fill the input form with the provided data.""" with app.test_request_context(): filled_form = fill_form(form(), data) filled_form.validate() return filled_form
def authorized_signup_handler(auth, remote=None, *args, **kwargs): """ Handle sign-in/up functionality. Checks if user is already registered. If not registered, the function registers a new user and authenticates the new user. If there already exists a user object in the database, the user is only authenticated and logged in. :param auth: (onelogin.saml2.auth) Auth object. :param remote: (str) Identity provider key. :returns: Redirect response. """ # Remove any previously stored auto register session key session.pop(token_session_key(remote) + '_autoregister', None) # Sign-in/up user # --------------- if current_user.is_authenticated: logout_user() account_info = get_account_info(auth.get_attributes(), remote) user = oauth_get_user(remote, account_info=account_info) if user is None: # Auto sign-up if user not found form = create_csrf_disabled_registrationform() # Fill form with user data form = fill_form(form, account_info['user']) # Try to register user user = oauth_register(form) # if registration fails ... if user is None: return current_app.login_manager.unauthorized() # Authenticate user if not oauth_authenticate(remote, user, require_existing_link=False): return current_app.login_manager.unauthorized() # create external id link try: oauth_link_external_id( user, dict(id=account_info['external_id'], method=remote)) db.session.commit() except AlreadyLinkedError: pass # Redirect to next next_url = get_session_next_url(remote) if next_url: return redirect(next_url) return redirect(current_app.config['SECURITY_POST_LOGIN_VIEW'])
def register_account(account_info): """"Try to register a new OAuth account. :param :account_info account data :returns A :class:`invenio_accounts.models.User` of created user. """ form = create_csrf_disabled_registrationform() form = fill_form(form, account_info['user']) if form.validate(): # Register user return oauth_register(form)
def authorized_signup_handler(auth, remote=None, *args, **kwargs): """ Handle sign-in/up functionality. Checks if user is already registered. If not registered, the function registers a new user and authenticates the new user. If there already exists a user object in the database, the user is only authenticated and logged in. :param remote: The remote application. :param resp: The response. :returns: Redirect response. """ # Remove any previously stored auto register session key session.pop(token_session_key(remote) + '_autoregister', None) # Sign-in/up user # --------------- if not current_user.is_authenticated: account_info = get_account_info(auth.get_attributes(), remote) user = oauth_get_user(remote, account_info=account_info) if user is None: # Auto sign-up if user not found form = create_csrf_disabled_registrationform() form = fill_form(form, account_info['user']) user = oauth_register(form) # if registration fails ... if user is None: return current_app.login_manager.unauthorized() # Authenticate user if not oauth_authenticate(remote, user, require_existing_link=False): return current_app.login_manager.unauthorized() db.session.commit() # Redirect to next next_url = get_session_next_url(remote) if next_url: return redirect(next_url) return redirect(current_app.config['SECURITY_POST_LOGIN_VIEW'])
def signup_handler(remote, *args, **kwargs): """Handle extra signup information. :param remote: The remote application. :returns: Redirect response or the template rendered. """ # User already authenticated so move on if current_user.is_authenticated: return redirect('/') # Retrieve token from session oauth_token = token_getter(remote) if not oauth_token: return redirect('/') session_prefix = token_session_key(remote.name) # Test to see if this is coming from on authorized request if not session.get(session_prefix + '_autoregister', False): return redirect(url_for('.login', remote_app=remote.name)) form = create_registrationform(request.form) if form.validate_on_submit(): account_info = session.get(session_prefix + '_account_info') response = session.get(session_prefix + '_response') # Register user user = oauth_register(form) if user is None: raise OAuthError('Could not create user.', remote) # Remove session key session.pop(session_prefix + '_autoregister', None) # Link account and set session data token = token_setter(remote, oauth_token[0], secret=oauth_token[1], user=user) handlers = current_oauthclient.signup_handlers[remote.name] if token is None: raise OAuthError('Could not create token for user.', remote) if not token.remote_account.extra_data: account_setup = handlers['setup'](token, response) account_setup_received.send(remote, token=token, response=response, account_setup=account_setup) # Registration has been finished db.session.commit() account_setup_committed.send(remote, token=token) else: # Registration has been finished db.session.commit() # Authenticate the user if not oauth_authenticate( remote.consumer_key, user, require_existing_link=False, remember=current_app.config['OAUTHCLIENT_REMOTE_APPS'][ remote.name].get('remember', False)): # Redirect the user after registration (which doesn't include the # activation), waiting for user to confirm his email. return redirect('/') # Remove account info from session session.pop(session_prefix + '_account_info', None) session.pop(session_prefix + '_response', None) # Redirect to next next_url = get_session_next_url(remote.name) if next_url: return redirect(next_url) else: return redirect('/') # Pre-fill form account_info = session.get(session_prefix + '_account_info') if not form.is_submitted(): form = fill_form(form, account_info['user']) return render_template( current_app.config['OAUTHCLIENT_SIGNUP_TEMPLATE'], form=form, remote=remote, app_title=current_app.config['OAUTHCLIENT_REMOTE_APPS'][ remote.name].get('title', ''), app_description=current_app.config['OAUTHCLIENT_REMOTE_APPS'][ remote.name].get('description', ''), app_icon=current_app.config['OAUTHCLIENT_REMOTE_APPS'][ remote.name].get('icon', None), )
def authorized_signup_handler(resp, remote, *args, **kwargs): """Handle sign-in/up functionality. :param remote: The remote application. :param resp: The response. :returns: Redirect response. """ # Remove any previously stored auto register session key session.pop(token_session_key(remote.name) + '_autoregister', None) # Store token in session # ---------------------- # Set token in session - token object only returned if # current_user.is_autenticated(). token = response_token_setter(remote, resp) handlers = current_oauthclient.signup_handlers[remote.name] # Sign-in/up user # --------------- if not current_user.is_authenticated: account_info = handlers['info'](resp) account_info_received.send(remote, token=token, response=resp, account_info=account_info) user = oauth_get_user( remote.consumer_key, account_info=account_info, access_token=token_getter(remote)[0], ) if user is None: # Auto sign-up if user not found form = create_csrf_disabled_registrationform() form = fill_form(form, account_info['user']) user = oauth_register(form) # if registration fails ... if user is None: # requires extra information session[token_session_key(remote.name) + '_autoregister'] = True session[token_session_key(remote.name) + '_account_info'] = account_info session[token_session_key(remote.name) + '_response'] = resp db.session.commit() return redirect('/') # Authenticate user if not oauth_authenticate( remote.consumer_key, user, require_existing_link=False): return current_app.login_manager.unauthorized() # Link account # ------------ # Need to store token in database instead of only the session when # called first time. token = response_token_setter(remote, resp) # Setup account # ------------- if not token.remote_account.extra_data: account_setup = handlers['setup'](token, resp) account_setup_received.send(remote, token=token, response=resp, account_setup=account_setup) db.session.commit() account_setup_committed.send(remote, token=token) else: db.session.commit() # Redirect to next next_url = get_session_next_url(remote.name) if next_url: return redirect(next_url) return redirect('/')
def signup_handler(remote, *args, **kwargs): """Handle extra signup information. :param remote: The remote application. :returns: Redirect response or the template rendered. """ # User already authenticated so move on if current_user.is_authenticated: return redirect('/') # Retrieve token from session oauth_token = token_getter(remote) if not oauth_token: return redirect('/') session_prefix = token_session_key(remote.name) # Test to see if this is coming from on authorized request if not session.get(session_prefix + '_autoregister', False): return redirect(url_for('.login', remote_app=remote.name)) form = create_registrationform(request.form) if form.validate_on_submit(): account_info = session.get(session_prefix + '_account_info') response = session.get(session_prefix + '_response') # Register user user = oauth_register(form) if user is None: raise OAuthError('Could not create user.', remote) # Remove session key session.pop(session_prefix + '_autoregister', None) # Link account and set session data token = token_setter(remote, oauth_token[0], secret=oauth_token[1], user=user) handlers = current_oauthclient.signup_handlers[remote.name] if token is None: raise OAuthError('Could not create token for user.', remote) if not token.remote_account.extra_data: account_setup = handlers['setup'](token, response) account_setup_received.send( remote, token=token, response=response, account_setup=account_setup ) # Registration has been finished db.session.commit() account_setup_committed.send(remote, token=token) else: # Registration has been finished db.session.commit() # Authenticate the user if not oauth_authenticate(remote.consumer_key, user, require_existing_link=False, remember=current_app.config[ 'OAUTHCLIENT_REMOTE_APPS'] [remote.name].get('remember', False)): # Redirect the user after registration (which doesn't include the # activation), waiting for user to confirm his email. return redirect('/') # Remove account info from session session.pop(session_prefix + '_account_info', None) session.pop(session_prefix + '_response', None) # Redirect to next next_url = get_session_next_url(remote.name) if next_url: return redirect(next_url) else: return redirect('/') # Pre-fill form account_info = session.get(session_prefix + '_account_info') if not form.is_submitted(): form = fill_form(form, account_info['user']) return render_template( current_app.config['OAUTHCLIENT_SIGNUP_TEMPLATE'], form=form, remote=remote, app_title=current_app.config['OAUTHCLIENT_REMOTE_APPS'][ remote.name].get('title', ''), app_description=current_app.config['OAUTHCLIENT_REMOTE_APPS'][ remote.name].get('description', ''), app_icon=current_app.config['OAUTHCLIENT_REMOTE_APPS'][ remote.name].get('icon', None), )
def authorized_signup_handler(resp, remote, *args, **kwargs): """Handle sign-in/up functionality. :param remote: The remote application. :param resp: The response. :returns: Redirect response. """ # Remove any previously stored auto register session key session.pop(token_session_key(remote.name) + '_autoregister', None) # Store token in session # ---------------------- # Set token in session - token object only returned if # current_user.is_autenticated(). token = response_token_setter(remote, resp) handlers = current_oauthclient.signup_handlers[remote.name] # Sign-in/up user # --------------- if not current_user.is_authenticated: account_info = handlers['info'](resp) account_info_received.send( remote, token=token, response=resp, account_info=account_info ) user = oauth_get_user( remote.consumer_key, account_info=account_info, access_token=token_getter(remote)[0], ) if user is None: # Auto sign-up if user not found form = create_csrf_disabled_registrationform() form = fill_form( form, account_info['user'] ) user = oauth_register(form) # if registration fails ... if user is None: # requires extra information session[ token_session_key(remote.name) + '_autoregister'] = True session[token_session_key(remote.name) + '_account_info'] = account_info session[token_session_key(remote.name) + '_response'] = resp db.session.commit() return redirect('/') # Authenticate user if not oauth_authenticate(remote.consumer_key, user, require_existing_link=False): return current_app.login_manager.unauthorized() # Link account # ------------ # Need to store token in database instead of only the session when # called first time. token = response_token_setter(remote, resp) # Setup account # ------------- if not token.remote_account.extra_data: account_setup = handlers['setup'](token, resp) account_setup_received.send( remote, token=token, response=resp, account_setup=account_setup ) db.session.commit() account_setup_committed.send(remote, token=token) else: db.session.commit() # Redirect to next next_url = get_session_next_url(remote.name) if next_url: return redirect(next_url) return redirect('/')
def authorized_signup_handler(resp, remote, *args, **kwargs): """Handle sign-in/up functionality. :param remote: The remote application. :param resp: The response. :returns: Redirect response. """ # Remove any previously stored auto register session key session.pop(token_session_key(remote.name) + '_autoregister', None) # Store token in session # ---------------------- # Set token in session - token object only returned if # current_user.is_autenticated(). token = response_token_setter(remote, resp) handlers = current_oauthclient.signup_handlers[remote.name] # Sign-in/up user # --------------- if not current_user.is_authenticated: account_info = handlers['info'](resp) account_info_received.send(remote, token=token, response=resp, account_info=account_info) user = oauth_get_user( remote.consumer_key, account_info=account_info, access_token=token_getter(remote)[0], ) if user is None: # Auto sign-up if user not found form = create_csrf_disabled_registrationform() form = fill_form(form, account_info['user']) user = oauth_register(form) # if registration fails ... if user is None: # requires extra information session[token_session_key(remote.name) + '_autoregister'] = True session[token_session_key(remote.name) + '_account_info'] = account_info session[token_session_key(remote.name) + '_response'] = resp db.session.commit() return render_template( current_app.config['AUTHENTICATION_POPUP_TEMPLATE'], msg='Registration to the service failed.'), 400 # Authenticate user if not oauth_authenticate( remote.consumer_key, user, require_existing_link=False): return render_template( current_app. config['AUTHENTICATION_POPUP__NO_REDIRECT_TEMPLATE'], msg='Error: Unauthorized user.'), 401 # Link account # ------------ # Need to store token in database instead of only the session when # called first time. token = response_token_setter(remote, resp) # Setup account # ------------- if not token.remote_account.extra_data: account_setup = handlers['setup'](token, resp) account_setup_received.send(remote, token=token, response=resp, account_setup=account_setup) db.session.commit() account_setup_committed.send(remote, token=token) else: db.session.commit() return render_template(current_app.config['AUTHENTICATION_POPUP_TEMPLATE'], msg='Account linked successfully.'), 200
def authorized_signup_handler(auth, remote=None, *args, **kwargs): """ Handle sign-in/up functionality. Checks if user is already registered. If not registered, the function registers a new user and authenticates the new user. If there already exists a user object in the database, the user is only authenticated and logged in. :param auth: (onelogin.saml2.auth) Auth object. :param remote: (str) Identity provider key. :returns: Redirect response. """ # Remove any previously stored auto register session key session.pop(token_session_key(remote) + '_autoregister', None) # Sign-in/up user # --------------- if current_user.is_authenticated: logout_user() account_info = get_account_info(auth.get_attributes(), remote) user = None # Pre-check done to use a case insensitive comparison because this is not # done in invenio --> https://github.com/inveniosoftware/invenio-oauthclient/blob/master/invenio_oauthclient/utils.py#L82 # nopep8 if account_info.get('user', {}).get('email'): user = User.query.filter( func.lower(User.email) == func.lower(account_info['user'] ['email'])).one_or_none() if user is None: user = oauth_get_user(remote, account_info=account_info) if user is None: # Auto sign-up if user not found form = create_csrf_disabled_registrationform() # Fill form with user data form = fill_form(form, account_info['user']) # Try to register user user = oauth_register(form) # if registration fails ... if user is None: return current_app.login_manager.unauthorized() # Authenticate user if not oauth_authenticate(remote, user, require_existing_link=False): return current_app.login_manager.unauthorized() # create external id link try: oauth_link_external_id( user, dict(id=account_info['external_id'], method=remote)) db.session.commit() except AlreadyLinkedError: pass # Redirect to next next_url = get_session_next_url(remote) if next_url: return redirect(next_url) return redirect(current_app.config['SECURITY_POST_LOGIN_VIEW'])