def _auth_plugin(username, password): if settings.local.sub_plan != 'enterprise': return utils.jsonify({ 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) valid, org_id, groups = sso.plugin_login_authenticate( user_name=username, password=password, remote_ip=utils.get_remote_addr(), ) if not valid: return utils.jsonify({ 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) if not org_id: logger.error( 'Login plugin did not return valid organization name', 'auth', org_name=org_id, user_name=username, ) return utils.jsonify({ 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) org = organization.get_by_id(org_id) if not org: return flask.abort(405) usr = org.find_user(name=username) if not usr: usr = org.new_user(name=username, type=CERT_CLIENT, auth_type=PLUGIN_AUTH, groups=list(groups) if groups else None) usr.audit_event( 'user_created', 'User created with plugin authentication', remote_addr=utils.get_remote_addr(), ) event.Event(type=ORGS_UPDATED) event.Event(type=USERS_UPDATED, resource_id=org.id) event.Event(type=SERVERS_UPDATED) else: if usr.disabled: return utils.jsonify({ 'error': AUTH_DISABLED, 'error_msg': AUTH_DISABLED_MSG, }, 403) if groups and groups - set(usr.groups or []): usr.groups = list(set(usr.groups or []) | groups) usr.commit('groups') if usr.auth_type != PLUGIN_AUTH: usr.auth_type = PLUGIN_AUTH usr.set_pin(None) usr.commit(('auth_type', 'pin')) key_link = org.create_user_key_link(usr.id, one_time=True) usr.audit_event('user_profile', 'User profile viewed from plugin authentication', remote_addr=utils.get_remote_addr(), ) return utils.jsonify({ 'redirect': utils.get_url_root() + key_link['view_url'], }, 202)
def sso_auth_check(self, password, remote_ip): sso_mode = settings.app.sso or '' auth_server = AUTH_SERVER if settings.app.dedicated: auth_server = settings.app.dedicated if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: resp = requests.get(auth_server + '/update/google?user=%s&license=%s' % ( urllib.quote(self.email), settings.app.license, )) if resp.status_code != 200: logger.error( 'Google auth check request error', 'user', user_id=self.id, user_name=self.name, status_code=resp.status_code, content=resp.content, ) return False valid, google_groups = sso.verify_google(self.email) if not valid: logger.error( 'Google auth check failed', 'user', user_id=self.id, user_name=self.name, ) return False if settings.app.sso_google_mode == 'groups': cur_groups = set(self.groups) new_groups = set(google_groups) if cur_groups != new_groups: self.groups = list(new_groups) self.commit('groups') return True except: logger.exception( 'Google auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif AZURE_AUTH in self.auth_type and AZURE_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: resp = requests.get( auth_server + ('/update/azure?user=%s&license=%s&' + 'directory_id=%s&app_id=%s&app_secret=%s') % ( urllib.quote(self.name), settings.app.license, urllib.quote(settings.app.sso_azure_directory_id), urllib.quote(settings.app.sso_azure_app_id), urllib.quote(settings.app.sso_azure_app_secret), )) if resp.status_code != 200: logger.error( 'Azure auth check request error', 'user', user_id=self.id, user_name=self.name, status_code=resp.status_code, content=resp.content, ) return False valid, azure_groups = sso.verify_azure(self.name) if not valid: logger.error( 'Azure auth check failed', 'user', user_id=self.id, user_name=self.name, ) return False if settings.app.sso_azure_mode == 'groups': cur_groups = set(self.groups) new_groups = set(azure_groups) if cur_groups != new_groups: self.groups = list(new_groups) self.commit('groups') return True except: logger.exception( 'Azure auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True if not isinstance(settings.app.sso_match, list): raise TypeError('Invalid sso match') try: resp = requests.get( auth_server + '/update/slack?user=%s&team=%s&license=%s' % ( urllib.quote(self.name), urllib.quote(settings.app.sso_match[0]), settings.app.license, )) if resp.status_code != 200: logger.error( 'Slack auth check request error', 'user', user_id=self.id, user_name=self.name, status_code=resp.status_code, content=resp.content, ) return False return True except: logger.exception( 'Slack auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif SAML_ONELOGIN_AUTH in self.auth_type and \ SAML_ONELOGIN_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_onelogin(self.name) except: logger.exception( 'OneLogin auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif SAML_OKTA_AUTH in self.auth_type and \ SAML_OKTA_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_okta(self.name) except: logger.exception( 'Okta auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode: try: return sso.verify_radius(self.name, password)[0] except: logger.exception( 'Radius auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif PLUGIN_AUTH in self.auth_type: try: return sso.plugin_login_authenticate( user_name=self.name, password=password, remote_ip=remote_ip, )[0] except: logger.exception( 'Plugin auth check error', 'user', user_id=self.id, user_name=self.name, ) return False return True
def _auth_plugin(username, password, remote_addr): if not settings.local.sub_plan or \ 'enterprise' not in settings.local.sub_plan: journal.entry( journal.ADMIN_AUTH_FAILURE, user_name=username, remote_address=remote_addr, reason=journal.ADMIN_AUTH_REASON_INVALID_USERNAME, reason_long='Invalid username', ) return utils.jsonify( { 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) has_plugin, valid, org_id, groups = sso.plugin_login_authenticate( user_name=username, password=password, remote_ip=remote_addr, ) if not has_plugin: journal.entry( journal.ADMIN_AUTH_FAILURE, user_name=username, remote_address=remote_addr, reason=journal.ADMIN_AUTH_REASON_INVALID_USERNAME, reason_long='Invalid username', ) return utils.jsonify( { 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) if not valid: journal.entry( journal.SSO_AUTH_REASON_PLUGIN_FAILED, user_name=username, remote_address=remote_addr, reason=journal.SSO_AUTH_REASON_PLUGIN_FAILED, reason_long='Plugin authentication failed', ) return utils.jsonify( { 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) if not org_id: logger.error( 'Login plugin did not return valid organization name', 'auth', org_name=org_id, user_name=username, ) return utils.jsonify( { 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) org = organization.get_by_id(org_id) if not org: logger.error( 'Organization for sso does not exist', 'auth', org_id=org_id, ) return flask.abort(405) usr = org.find_user(name=username) if not usr: usr = org.new_user(name=username, type=CERT_CLIENT, auth_type=PLUGIN_AUTH, groups=list(groups) if groups else None) usr.audit_event( 'user_created', 'User created with plugin authentication', remote_addr=utils.get_remote_addr(), ) journal.entry( journal.USER_CREATE, usr.journal_data, event_long='User created with plugin authentication', remote_address=remote_addr, ) event.Event(type=ORGS_UPDATED) event.Event(type=USERS_UPDATED, resource_id=org.id) event.Event(type=SERVERS_UPDATED) else: if usr.disabled: return utils.jsonify( { 'error': AUTH_DISABLED, 'error_msg': AUTH_DISABLED_MSG, }, 403) if groups and groups - set(usr.groups or []): usr.groups = list(set(usr.groups or []) | groups) usr.commit('groups') if usr.auth_type != PLUGIN_AUTH: usr.auth_type = PLUGIN_AUTH usr.set_pin(None) usr.commit(('auth_type', 'pin')) key_link = org.create_user_key_link(usr.id, one_time=True) usr.audit_event( 'user_profile', 'User profile viewed from plugin authentication', remote_addr=utils.get_remote_addr(), ) journal.entry( journal.USER_PROFILE_SUCCESS, usr.journal_data, event_long='User profile viewed from plugin authentication', remote_address=remote_addr, ) return utils.jsonify( { 'redirect': utils.get_url_root() + key_link['view_url'], }, 202)
def _auth_plugin(username, password): if not settings.local.sub_plan or \ 'enterprise' not in settings.local.sub_plan: return utils.jsonify({ 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) valid, org_id, groups = sso.plugin_login_authenticate( user_name=username, password=password, remote_ip=utils.get_remote_addr(), ) if not valid: return utils.jsonify({ 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) if not org_id: logger.error( 'Login plugin did not return valid organization name', 'auth', org_name=org_id, user_name=username, ) return utils.jsonify({ 'error': AUTH_INVALID, 'error_msg': AUTH_INVALID_MSG, }, 401) org = organization.get_by_id(org_id) if not org: return flask.abort(405) usr = org.find_user(name=username) if not usr: usr = org.new_user(name=username, type=CERT_CLIENT, auth_type=PLUGIN_AUTH, groups=list(groups) if groups else None) usr.audit_event( 'user_created', 'User created with plugin authentication', remote_addr=utils.get_remote_addr(), ) event.Event(type=ORGS_UPDATED) event.Event(type=USERS_UPDATED, resource_id=org.id) event.Event(type=SERVERS_UPDATED) else: if usr.disabled: return utils.jsonify({ 'error': AUTH_DISABLED, 'error_msg': AUTH_DISABLED_MSG, }, 403) if groups and groups - set(usr.groups or []): usr.groups = list(set(usr.groups or []) | groups) usr.commit('groups') if usr.auth_type != PLUGIN_AUTH: usr.auth_type = PLUGIN_AUTH usr.set_pin(None) usr.commit(('auth_type', 'pin')) key_link = org.create_user_key_link(usr.id, one_time=True) usr.audit_event('user_profile', 'User profile viewed from plugin authentication', remote_addr=utils.get_remote_addr(), ) return utils.jsonify({ 'redirect': utils.get_url_root() + key_link['view_url'], }, 202)
def sso_auth_check(self, password, remote_ip): sso_mode = settings.app.sso or '' auth_server = AUTH_SERVER if settings.app.dedicated: auth_server = settings.app.dedicated if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: resp = requests.get(auth_server + '/update/google?user=%s&license=%s' % ( urllib.quote(self.email), settings.app.license, )) if resp.status_code == 200: return True except: logger.exception( 'Google auth check error', 'user', user_id=self.id, ) return False elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True if not isinstance(settings.app.sso_match, list): raise TypeError('Invalid sso match') try: resp = requests.get( auth_server + '/update/slack?user=%s&team=%s&license=%s' % ( urllib.quote(self.name), urllib.quote(settings.app.sso_match[0]), settings.app.license, )) if resp.status_code == 200: return True except: logger.exception( 'Slack auth check error', 'user', user_id=self.id, ) return False elif SAML_ONELOGIN_AUTH in self.auth_type and \ SAML_ONELOGIN_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_onelogin(self.name) except: logger.exception( 'OneLogin auth check error', 'user', user_id=self.id, ) return False elif SAML_OKTA_AUTH in self.auth_type and \ SAML_OKTA_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_okta(self.name) except: logger.exception( 'Okta auth check error', 'user', user_id=self.id, ) return False elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode: try: return sso.verify_radius(self.name, password)[0] except: logger.exception( 'Radius auth check error', 'user', user_id=self.id, ) return False elif PLUGIN_AUTH in self.auth_type: try: return sso.plugin_login_authenticate( user_name=self.name, password=password, remote_ip=remote_ip, )[0] except: logger.exception( 'Plugin auth check error', 'user', user_id=self.id, ) return False return True
def sso_auth_check(self, password, remote_ip): sso_mode = settings.app.sso or '' if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: resp = requests.get(AUTH_SERVER + '/update/google?user=%s&license=%s' % ( urllib.quote(self.email), settings.app.license, )) if resp.status_code == 200: return True except: logger.exception('Google auth check error', 'user', user_id=self.id, ) return False elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True if not isinstance(settings.app.sso_match, list): raise TypeError('Invalid sso match') try: resp = requests.get(AUTH_SERVER + '/update/slack?user=%s&team=%s&license=%s' % ( urllib.quote(self.name), urllib.quote(settings.app.sso_match[0]), settings.app.license, )) if resp.status_code == 200: return True except: logger.exception('Slack auth check error', 'user', user_id=self.id, ) return False elif SAML_ONELOGIN_AUTH in self.auth_type and \ SAML_ONELOGIN_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_onelogin(self.name) except: logger.exception('OneLogin auth check error', 'user', user_id=self.id, ) return False elif SAML_OKTA_AUTH in self.auth_type and \ SAML_OKTA_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_okta(self.name) except: logger.exception('Okta auth check error', 'user', user_id=self.id, ) return False elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode: try: return sso.verify_radius(self.name, password)[0] except: logger.exception('Radius auth check error', 'user', user_id=self.id, ) return False elif PLUGIN_AUTH in self.auth_type: try: return sso.plugin_login_authenticate( user_name=self.name, password=password, remote_ip=remote_ip, )[0] except: logger.exception('Plugin auth check error', 'user', user_id=self.id, ) return False return True
def sso_auth_check(self, password, remote_ip): sso_mode = settings.app.sso or '' auth_server = AUTH_SERVER if settings.app.dedicated: auth_server = settings.app.dedicated if GOOGLE_AUTH in self.auth_type and GOOGLE_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: resp = requests.get(auth_server + '/update/google?user=%s&license=%s' % ( urllib.quote(self.email), settings.app.license, )) if resp.status_code != 200: logger.error('Google auth check request error', 'user', user_id=self.id, user_name=self.name, status_code=resp.status_code, content=resp.content, ) return False valid, google_groups = sso.verify_google(self.email) if not valid: logger.error('Google auth check failed', 'user', user_id=self.id, user_name=self.name, ) return False if settings.app.sso_google_mode == 'groups': cur_groups = set(self.groups) new_groups = set(google_groups) if cur_groups != new_groups: self.groups = list(new_groups) self.commit('groups') return True except: logger.exception('Google auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif AZURE_AUTH in self.auth_type and AZURE_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: resp = requests.get(auth_server + ('/update/azure?user=%s&license=%s&' + 'directory_id=%s&app_id=%s&app_secret=%s') % ( urllib.quote(self.name), settings.app.license, urllib.quote(settings.app.sso_azure_directory_id), urllib.quote(settings.app.sso_azure_app_id), urllib.quote(settings.app.sso_azure_app_secret), )) if resp.status_code != 200: logger.error('Azure auth check request error', 'user', user_id=self.id, user_name=self.name, status_code=resp.status_code, content=resp.content, ) return False valid, azure_groups = sso.verify_azure(self.name) if not valid: logger.error('Azure auth check failed', 'user', user_id=self.id, user_name=self.name, ) return False if settings.app.sso_azure_mode == 'groups': cur_groups = set(self.groups) new_groups = set(azure_groups) if cur_groups != new_groups: self.groups = list(new_groups) self.commit('groups') return True except: logger.exception('Azure auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif AUTHZERO_AUTH in self.auth_type and AUTHZERO_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: resp = requests.get(auth_server + ('/update/authzero?user=%s&license=%s&' + 'app_domain=%s&app_id=%s&app_secret=%s') % ( urllib.quote(self.name), settings.app.license, urllib.quote(settings.app.sso_authzero_domain), urllib.quote(settings.app.sso_authzero_app_id), urllib.quote(settings.app.sso_authzero_app_secret), )) if resp.status_code != 200: logger.error('Auth0 auth check request error', 'user', user_id=self.id, user_name=self.name, status_code=resp.status_code, content=resp.content, ) return False valid, authzero_groups = sso.verify_authzero(self.name) if not valid: logger.error('Auth0 auth check failed', 'user', user_id=self.id, user_name=self.name, ) return False if settings.app.sso_authzero_mode == 'groups': cur_groups = set(self.groups) new_groups = set(authzero_groups) if cur_groups != new_groups: self.groups = list(new_groups) self.commit('groups') return True except: logger.exception('Auth0 auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif SLACK_AUTH in self.auth_type and SLACK_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True if not isinstance(settings.app.sso_match, list): raise TypeError('Invalid sso match') try: resp = requests.get(auth_server + '/update/slack?user=%s&team=%s&license=%s' % ( urllib.quote(self.name), urllib.quote(settings.app.sso_match[0]), settings.app.license, )) if resp.status_code != 200: logger.error('Slack auth check request error', 'user', user_id=self.id, user_name=self.name, status_code=resp.status_code, content=resp.content, ) return False return True except: logger.exception('Slack auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif SAML_ONELOGIN_AUTH in self.auth_type and \ SAML_ONELOGIN_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_onelogin(self.name) except: logger.exception('OneLogin auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif SAML_OKTA_AUTH in self.auth_type and \ SAML_OKTA_AUTH in sso_mode: if settings.user.skip_remote_sso_check: return True try: return sso.auth_okta(self.name) except: logger.exception('Okta auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif RADIUS_AUTH in self.auth_type and RADIUS_AUTH in sso_mode: try: return sso.verify_radius(self.name, password)[0] except: logger.exception('Radius auth check error', 'user', user_id=self.id, user_name=self.name, ) return False elif PLUGIN_AUTH in self.auth_type: try: return sso.plugin_login_authenticate( user_name=self.name, password=password, remote_ip=remote_ip, )[1] except: logger.exception('Plugin auth check error', 'user', user_id=self.id, user_name=self.name, ) return False return True