def openid_login_callback(request): #构造需要检查签名的内容 OPENID_RESPONSE = dict(request.GET) SIGNED_CONTENT = [] #import json #print json.dumps(OPENID_RESPONSE, indent=4) for k in OPENID_RESPONSE['openid.signed'][0].split(","): response_data = OPENID_RESPONSE["openid.%s" % k] SIGNED_CONTENT.append("%s:%s\n" % (k, response_data[0])) SIGNED_CONTENT = "".join(SIGNED_CONTENT).encode("UTF-8") # 使用associate请求获得的mac_key与SIGNED_CONTENT进行assoc_type hash, # 检查是否与OpenID Server返回的一致 SIGNED_CONTENT_SIG = base64.b64encode( hmac.new(base64.b64decode(request.session.get('mac_key', '')), SIGNED_CONTENT, hashlib.sha256).digest()) if SIGNED_CONTENT_SIG != OPENID_RESPONSE['openid.sig'][0]: return '认证失败,请重新登录验证' request.session.pop('mac_key', None) email = request.GET.get('openid.sreg.email', '') fullname = request.GET.get('openid.sreg.fullname', '') next_url = request.GET.get('next', '/') login_user = User.objects.filter(username__iexact=email) if login_user.exists(): login_user = login_user[0] login_user.set_password("sentry_netease_openid_pwd") login_user.name = fullname # update by hzwangzhiwei @20160329 login_user.save() else: #不存在数据,则增加数据数用户表 login_user = User(username=email, name=fullname, email=email) login_user.set_password("sentry_netease_openid_pwd") login_user.save() #save to db # 如果不存在将这个人加入到组织member表中 if not OrganizationMember.objects.filter( user=login_user, organization=Organization.get_default()).exists(): # 同时给他们默认的trace收集 # 将用户到组织中 orgMember = OrganizationMember(user=login_user, organization=Organization.get_default()) orgMember.save() orgMember = OrganizationMember.objects.get( user=login_user, organization=Organization.get_default()) # 保存组织者到第一个小组 orgMemTeam = OrganizationMemberTeam(organizationmember=orgMember, team=Team.objects.get(id=1)) orgMemTeam.save() # HACK: grab whatever the first backend is and assume it works login_user.backend = settings.AUTHENTICATION_BACKENDS[0] auth.login(request, login_user) # can_register should only allow a single registration request.session.pop('can_register', None) request.session.pop('needs_captcha', None) return HttpResponseRedirect(next_url)
def handle(self, request): if request.user.is_authenticated(): return self.redirect_to_org(request) # Single org mode -- send them to the org-specific handler if settings.SENTRY_SINGLE_ORGANIZATION: org = Organization.get_default() next_uri = reverse('sentry-auth-organization', args=[org.slug]) return HttpResponseRedirect(next_uri) op = request.POST.get('op') if op == 'sso' and request.POST.get('organization'): auth_provider = self.get_auth_provider(request.POST['organization']) if auth_provider: next_uri = reverse('sentry-auth-organization', args=[request.POST['organization']]) else: next_uri = request.path messages.add_message(request, messages.ERROR, ERR_NO_SSO) return HttpResponseRedirect(next_uri) session_expired = 'session_expired' in request.COOKIES if session_expired: messages.add_message(request, messages.WARNING, WARN_SESSION_EXPIRED) response = self.handle_basic_auth(request) if session_expired: response.delete_cookie('session_expired') return response
def createuser(email, password, superuser, no_password, no_input): "Create a new user." if not no_input: if not email: email = _get_email() if not (password or no_password): password = _get_password() if superuser is None: superuser = _get_superuser() if superuser is None: superuser = False if not email: raise click.ClickException("Invalid or missing email address.") # TODO(mattrobenolt): Accept password over stdin? if not no_password and not password: raise click.ClickException( "No password set and --no-password not passed.") from sentry import roles from sentry.models import User from django.conf import settings user = User(email=email, username=email, is_superuser=superuser, is_staff=superuser, is_active=True) if password: user.set_password(password) user.save() click.echo("User created: %s" % (email, )) # TODO(dcramer): kill this when we improve flows if settings.SENTRY_SINGLE_ORGANIZATION: from sentry.models import Organization, OrganizationMember, OrganizationMemberTeam, Team org = Organization.get_default() if superuser: role = roles.get_top_dog().id else: role = org.default_role member = OrganizationMember.objects.create(organization=org, user=user, role=role) # if we've only got a single team let's go ahead and give # access to that team as its likely the desired outcome teams = list(Team.objects.filter(organization=org)[0:2]) if len(teams) == 1: OrganizationMemberTeam.objects.create(team=teams[0], organizationmember=member) click.echo("Added to organization: %s" % (org.slug, ))
def get(self, request, *args, **kwargs): """ Get context required to show a login page. Registration is handled elsewhere. """ if request.user.is_authenticated: # if the user is a superuser, but not 'superuser authenticated' we # allow them to re-authenticate to gain superuser status if not request.user.is_superuser or is_active_superuser(request): return self.respond_authenticated(request) next_uri = self.get_next_uri(request) # we always reset the state on GET so you don't end up at an odd location auth.initiate_login(request, next_uri) # Auth login verifies the test cookie is set request.session.set_test_cookie() # Single org mode -- send them to the org-specific handler if settings.SENTRY_SINGLE_ORGANIZATION: org = Organization.get_default() return Response({ "nextUri": reverse("sentry-auth-organization", args=[org.slug]) }) session_expired = "session_expired" in request.COOKIES payload = self.prepare_login_context(request, *args, **kwargs) response = Response(payload) if session_expired: response.delete_cookie("session_expired") return response
def get(self, request, *args, **kwargs): next_uri = self.get_next_uri(request, *args, **kwargs) if request.user.is_authenticated(): # if the user is a superuser, but not 'superuser authenticated' # we allow them to re-authenticate to gain superuser status if not request.user.is_superuser or is_active_superuser(request): return self.handle_authenticated(request, *args, **kwargs) request.session.set_test_cookie() # we always reset the state on GET so you dont end up at an odd location auth.initiate_login(request, next_uri) # Single org mode -- send them to the org-specific handler if settings.SENTRY_SINGLE_ORGANIZATION: org = Organization.get_default() next_uri = reverse('sentry-auth-organization', args=[org.slug]) return HttpResponseRedirect(next_uri) session_expired = 'session_expired' in request.COOKIES if session_expired: messages.add_message(request, messages.WARNING, WARN_SESSION_EXPIRED) response = self.handle_basic_auth(request, *args, **kwargs) if session_expired: response.delete_cookie('session_expired') return response
def get(self, request, **kwargs): next_uri = self.get_next_uri(request) if request.user.is_authenticated(): # if the user is a superuser, but not 'superuser authenticated' # we allow them to re-authenticate to gain superuser status if not request.user.is_superuser or is_active_superuser(request): return self.handle_authenticated(request) request.session.set_test_cookie() # we always reset the state on GET so you dont end up at an odd location auth.initiate_login(request, next_uri) # Single org mode -- send them to the org-specific handler if settings.SENTRY_SINGLE_ORGANIZATION: org = Organization.get_default() next_uri = reverse("sentry-auth-organization", args=[org.slug]) return HttpResponseRedirect(next_uri) session_expired = "session_expired" in request.COOKIES if session_expired: messages.add_message(request, messages.WARNING, WARN_SESSION_EXPIRED) response = self.handle_basic_auth(request, **kwargs) if session_expired: response.delete_cookie("session_expired") return response
def org_delete_confirm(request): from sentry.models import AuditLogEntry org = Organization.get_default() entry = AuditLogEntry( organization=org, actor=request.user, ip_address=request.META['REMOTE_ADDR'], ) return MailPreview( html_template='sentry/emails/org_delete_confirm.html', text_template='sentry/emails/org_delete_confirm.txt', context={ 'organization': org, 'audit_log_entry': entry, 'eta': timezone.now() + timedelta(days=1), 'url': absolute_uri( reverse( 'sentry-restore-organization', args=[org.slug], )), }, ).render(request)
def register(request): from django.conf import settings if not (features.has('auth:register') or request.session.get('can_register')): return HttpResponseRedirect(reverse('sentry')) form = RegistrationForm(request.POST or None, captcha=bool(request.session.get('needs_captcha'))) if form.is_valid(): user = form.save() # TODO(dcramer): ideally this would be handled by a special view # specifically for organization registration if settings.SENTRY_SINGLE_ORGANIZATION: org = Organization.get_default() defaults = { 'has_global_access': True, 'type': OrganizationMemberType.MEMBER, } try: auth_provider = AuthProvider.objects.get( organization=org.id, ) except AuthProvider.DoesNotExist: pass else: defaults.update({ 'has_global_access': auth_provider.default_global_access, 'type': auth_provider.default_role, }) org.member_set.create( user=user, **defaults ) # can_register should only allow a single registration request.session.pop('can_register', None) # HACK: grab whatever the first backend is and assume it works user.backend = settings.AUTHENTICATION_BACKENDS[0] login_user(request, user) request.session.pop('needs_captcha', None) return login_redirect(request) elif request.POST and not request.session.get('needs_captcha'): request.session['needs_captcha'] = 1 form = RegistrationForm(request.POST or None, captcha=True) form.errors.pop('captcha', None) return render_to_response('sentry/register.html', { 'form': form, }, request)
def createuser(email, password, superuser, no_password, no_input): "Create a new user." if not no_input: if not email: email = _get_email() if not (password or no_password): password = _get_password() if superuser is None: superuser = _get_superuser() if superuser is None: superuser = False if not email: raise click.ClickException('Invalid or missing email address.') # TODO(mattrobenolt): Accept password over stdin? if not no_password and not password: raise click.ClickException( 'No password set and --no-password not passed.') from sentry import roles from sentry.models import User from django.conf import settings user = User( email=email, username=email, is_superuser=superuser, is_staff=superuser, is_active=True, ) if password: user.set_password(password) user.save() click.echo('User created: %s' % (email, )) # TODO(dcramer): kill this when we improve flows if settings.SENTRY_SINGLE_ORGANIZATION: from sentry.models import Organization, OrganizationMember org = Organization.get_default() if superuser: role = roles.get_top_dog().id else: role = org.default_role OrganizationMember.objects.create( organization=org, user=user, role=role, ) click.echo('Added to organization: %s' % (org.slug, ))
def createuser(email, password, superuser, no_password, no_input): "Create a new user." if not no_input: if not email: email = _get_email() if not (password or no_password): password = _get_password() if superuser is None: superuser = _get_superuser() if superuser is None: superuser = False if not email: raise click.ClickException('Invalid or missing email address.') # TODO(mattrobenolt): Accept password over stdin? if not no_password and not password: raise click.ClickException('No password set and --no-password not passed.') from sentry import roles from sentry.models import User from django.conf import settings user = User( email=email, username=email, is_superuser=superuser, is_staff=superuser, is_active=True, ) if password: user.set_password(password) user.save() click.echo('User created: %s' % (email,)) # TODO(dcramer): kill this when we improve flows if settings.SENTRY_SINGLE_ORGANIZATION: from sentry.models import Organization, OrganizationMember org = Organization.get_default() if superuser: role = roles.get_top_dog().id else: role = org.default_role OrganizationMember.objects.create( organization=org, user=user, role=role, ) click.echo('Added to organization: %s' % (org.slug,))
def register(request): from django.conf import settings if not (features.has('auth:register') or request.session.get('can_register')): return HttpResponseRedirect(reverse('sentry')) form = RegistrationForm(request.POST or None, captcha=bool(request.session.get('needs_captcha'))) if form.is_valid(): user = form.save() # TODO(dcramer): ideally this would be handled by a special view # specifically for organization registration if settings.SENTRY_SINGLE_ORGANIZATION: org = Organization.get_default() defaults = { 'has_global_access': True, 'type': OrganizationMemberType.MEMBER, } try: auth_provider = AuthProvider.objects.get(organization=org.id, ) except AuthProvider.DoesNotExist: pass else: defaults.update({ 'has_global_access': auth_provider.default_global_access, 'type': auth_provider.default_role, }) org.member_set.create(user=user, **defaults) # can_register should only allow a single registration request.session.pop('can_register', None) # HACK: grab whatever the first backend is and assume it works user.backend = settings.AUTHENTICATION_BACKENDS[0] login_user(request, user) request.session.pop('needs_captcha', None) return login_redirect(request) elif request.POST and not request.session.get('needs_captcha'): request.session['needs_captcha'] = 1 form = RegistrationForm(request.POST or None, captcha=True) form.errors.pop('captcha', None) return render_to_response('sentry/register.html', { 'form': form, }, request)
def handle(self, **options): email = options['email'] is_superuser = options['is_superuser'] password = options['password'] if not options['noinput']: try: if not email: email = self.get_email() if not (password or options['nopassword']): password = self.get_password() if is_superuser is None: is_superuser = self.get_superuser() except KeyboardInterrupt: self.stderr.write("\nOperation cancelled.") sys.exit(1) if not email: raise CommandError('Invalid or missing email address') if not options['nopassword'] and not password: raise CommandError('No password set and --no-password not passed') user = User( email=email, username=email, is_superuser=is_superuser, is_staff=is_superuser, is_active=True, ) if password: user.set_password(password) user.save() self.stdout.write('User created: %s' % (email,)) # TODO(dcramer): kill this when we improve flows if settings.SENTRY_SINGLE_ORGANIZATION: org = Organization.get_default() OrganizationMember.objects.create( organization=org, user=user, type=OrganizationMemberType.OWNER, has_global_access=user.is_superuser, ) self.stdout.write('Added to organization: %s' % (org.slug,))
def handle(self, **options): email = options['email'] is_superuser = options['is_superuser'] password = options['password'] if not options['noinput']: try: if not email: email = self.get_email() if not (password or options['nopassword']): password = self.get_password() if is_superuser is None: is_superuser = self.get_superuser() except KeyboardInterrupt: self.stderr.write("\nOperation cancelled.") sys.exit(1) if not email: raise CommandError('Invalid or missing email address') if not options['nopassword'] and not password: raise CommandError('No password set and --no-password not passed') user = User( email=email, username=email, is_superuser=is_superuser, is_staff=is_superuser, is_active=True, ) if password: user.set_password(password) user.save() self.stdout.write('User created: %s' % (email, )) # TODO(dcramer): kill this when we improve flows if settings.SENTRY_SINGLE_ORGANIZATION: org = Organization.get_default() OrganizationMember.objects.create( organization=org, user=user, type=OrganizationMemberType.OWNER, has_global_access=user.is_superuser, ) self.stdout.write('Added to organization: %s' % (org.slug, ))
def org_delete_confirm(request): from sentry.models import AuditLogEntry org = Organization.get_default() entry = AuditLogEntry( organization=org, actor=request.user, ip_address=request.META["REMOTE_ADDR"] ) return MailPreview( html_template="sentry/emails/org_delete_confirm.html", text_template="sentry/emails/org_delete_confirm.txt", context={ "organization": org, "audit_log_entry": entry, "eta": timezone.now() + timedelta(days=1), "url": absolute_uri(reverse("sentry-restore-organization", args=[org.slug])), }, ).render(request)
def handle(self, request): if settings.SENTRY_SINGLE_ORGANIZATION: org = Organization.get_default() next_uri = reverse('sentry-auth-organization', args=[org.slug]) return HttpResponseRedirect(next_uri) if request.POST.get('op') == 'sso' and request.POST.get('organization'): auth_provider = self.get_auth_provider(request.POST['organization']) if auth_provider: next_uri = reverse('sentry-auth-organization', args=[request.POST['organization']]) else: next_uri = request.path messages.add_message(request, messages.ERROR, ERR_NO_SSO) return HttpResponseRedirect(next_uri) return self.handle_basic_auth(request)
def handle(self, request): if settings.SENTRY_SINGLE_ORGANIZATION: org = Organization.get_default() next_uri = reverse('sentry-auth-organization', args=[org.slug]) return HttpResponseRedirect(next_uri) if request.POST.get('op') == 'sso' and request.POST.get( 'organization'): auth_provider = self.get_auth_provider( request.POST['organization']) if auth_provider: next_uri = reverse('sentry-auth-organization', args=[request.POST['organization']]) else: next_uri = request.path messages.add_message(request, messages.ERROR, ERR_NO_SSO) return HttpResponseRedirect(next_uri) return self.handle_basic_auth(request)
def handle(self, request): next_uri = request.GET.get(REDIRECT_FIELD_NAME, None) if request.user.is_authenticated(): if auth.is_valid_redirect(next_uri): return self.redirect(next_uri) return self.redirect_to_org(request) request.session.set_test_cookie() if next_uri: auth.initiate_login(request, next_uri) # Single org mode -- send them to the org-specific handler if settings.SENTRY_SINGLE_ORGANIZATION: org = Organization.get_default() next_uri = reverse("sentry-auth-organization", args=[org.slug]) return HttpResponseRedirect(next_uri) op = request.POST.get("op") if op == "sso" and request.POST.get("organization"): auth_provider = self.get_auth_provider(request.POST["organization"]) if auth_provider: next_uri = reverse("sentry-auth-organization", args=[request.POST["organization"]]) else: next_uri = request.path messages.add_message(request, messages.ERROR, ERR_NO_SSO) return HttpResponseRedirect(next_uri) session_expired = "session_expired" in request.COOKIES if session_expired: messages.add_message(request, messages.WARNING, WARN_SESSION_EXPIRED) response = self.handle_basic_auth(request) if session_expired: response.delete_cookie("session_expired") return response
def org_delete_confirm(request): from sentry.models import AuditLogEntry org = Organization.get_default() entry = AuditLogEntry( organization=org, actor=request.user, ip_address=request.META['REMOTE_ADDR'], ) return MailPreview( html_template='sentry/emails/org_delete_confirm.html', text_template='sentry/emails/org_delete_confirm.txt', context={ 'organization': org, 'audit_log_entry': entry, 'eta': timezone.now() + timedelta(days=1), 'url': absolute_uri(reverse( 'sentry-restore-organization', args=[org.slug], )), }, ).render(request)
def handle_basic_auth(self, request, **kwargs): can_register = self.can_register(request) op = request.POST.get("op") organization = kwargs.pop("organization", None) if not op: # Detect that we are on the register page by url /register/ and # then activate the register tab by default. if "/register" in request.path_info and can_register: op = "register" elif request.GET.get("op") == "sso": op = "sso" login_form = self.get_login_form(request) if can_register: register_form = self.get_register_form( request, initial={"username": request.session.get("invite_email", "")} ) else: register_form = None if can_register and register_form.is_valid(): user = register_form.save() user.send_confirm_emails(is_new_user=True) user_signup.send_robust( sender=self, user=user, source="register-form", referrer="in-app" ) # HACK: grab whatever the first backend is and assume it works user.backend = settings.AUTHENTICATION_BACKENDS[0] auth.login(request, user, organization_id=organization.id if organization else None) # can_register should only allow a single registration request.session.pop("can_register", None) request.session.pop("invite_email", None) # In single org mode, associate the user to the orgnaization if settings.SENTRY_SINGLE_ORGANIZATION: organization = Organization.get_default() OrganizationMember.objects.create( organization=organization, role=organization.default_role, user=user ) # Attempt to directly accept any pending invites invite_helper = ApiInviteHelper.from_cookie(request=request, instance=self) if invite_helper and invite_helper.valid_request: invite_helper.accept_invite() response = self.redirect_to_org(request) remove_invite_cookie(request, response) return response return self.redirect(auth.get_login_redirect(request)) elif request.method == "POST": from sentry.app import ratelimiter from sentry.utils.hashlib import md5_text login_attempt = ( op == "login" and request.POST.get("username") and request.POST.get("password") ) if login_attempt and ratelimiter.is_limited( u"auth:login:username:{}".format( md5_text(login_form.clean_username(request.POST["username"])).hexdigest() ), limit=10, window=60, # 10 per minute should be enough for anyone ): login_form.errors["__all__"] = [ u"You have made too many login attempts. Please try again later." ] metrics.incr( "login.attempt", instance="rate_limited", skip_internal=True, sample_rate=1.0 ) elif login_form.is_valid(): user = login_form.get_user() auth.login(request, user, organization_id=organization.id if organization else None) metrics.incr( "login.attempt", instance="success", skip_internal=True, sample_rate=1.0 ) if not user.is_active: return self.redirect(reverse("sentry-reactivate-account")) return self.redirect(auth.get_login_redirect(request)) else: metrics.incr( "login.attempt", instance="failure", skip_internal=True, sample_rate=1.0 ) context = { "op": op or "login", "server_hostname": get_server_hostname(), "login_form": login_form, "organization": organization, "register_form": register_form, "CAN_REGISTER": can_register, "join_request_link": self.get_join_request_link(organization), } context.update(additional_context.run_callbacks(request)) return self.respond_login(request, context, **kwargs)
def createuser(email, password, superuser, no_password, no_input, force_update): "Create a new user." if not no_input: if not email: email = _get_email() if not (password or no_password): password = _get_password() if superuser is None: superuser = _get_superuser() if superuser is None: superuser = False if not email: raise click.ClickException("Invalid or missing email address.") # TODO(mattrobenolt): Accept password over stdin? if not no_password and not password: raise click.ClickException("No password set and --no-password not passed.") from django.conf import settings from sentry import roles from sentry.models import User fields = dict( email=email, username=email, is_superuser=superuser, is_staff=superuser, is_active=True ) verb = None try: user = User.objects.get(username=email) except User.DoesNotExist: user = None if user is not None: if force_update: user.update(**fields) verb = "updated" else: click.echo(f"User: {email} exists, use --force-update to force") sys.exit(3) else: user = User.objects.create(**fields) verb = "created" # TODO(dcramer): kill this when we improve flows if settings.SENTRY_SINGLE_ORGANIZATION: from sentry.models import Organization, OrganizationMember, OrganizationMemberTeam, Team org = Organization.get_default() if superuser: role = roles.get_top_dog().id else: role = org.default_role member = OrganizationMember.objects.create(organization=org, user=user, role=role) # if we've only got a single team let's go ahead and give # access to that team as its likely the desired outcome teams = list(Team.objects.filter(organization=org)[0:2]) if len(teams) == 1: OrganizationMemberTeam.objects.create(team=teams[0], organizationmember=member) click.echo(f"Added to organization: {org.slug}") if password: user.set_password(password) user.save() click.echo(f"User {verb}: {email}")
def createuser(email, password, superuser, no_password, no_input): "Create a new user." if not no_input: if not email: email = _get_email() if not (password or no_password): password = _get_password() if superuser is None: superuser = _get_superuser() if superuser is None: superuser = False if not email: raise click.ClickException('Invalid or missing email address.') # TODO(mattrobenolt): Accept password over stdin? if not no_password and not password: raise click.ClickException('No password set and --no-password not passed.') from sentry import roles from sentry.models import User from django.conf import settings user = User( email=email, username=email, is_superuser=superuser, is_staff=superuser, is_active=True, ) if password: user.set_password(password) user.save() click.echo('User created: %s' % (email, )) # TODO(dcramer): kill this when we improve flows if settings.SENTRY_SINGLE_ORGANIZATION: from sentry.models import (Organization, OrganizationMember, OrganizationMemberTeam, Team) org = Organization.get_default() if superuser: role = roles.get_top_dog().id else: role = org.default_role member = OrganizationMember.objects.create( organization=org, user=user, role=role, ) # if we've only got a single team let's go ahead and give # access to that team as its likely the desired outcome teams = list(Team.objects.filter(organization=org)[0:2]) if len(teams) == 1: OrganizationMemberTeam.objects.create( team=teams[0], organizationmember=member, ) click.echo('Added to organization: %s' % (org.slug, ))