def openid_login_callback(request): #构造需要检查签名的内容 OPENID_RESPONSE = dict(request.GET) SIGNED_CONTENT = [] #import json #print json.dumps(OPENID_RESPONSE, indent=4) for k in OPENID_RESPONSE['openid.signed'][0].split(","): response_data = OPENID_RESPONSE["openid.%s" % k] SIGNED_CONTENT.append("%s:%s\n" % (k, response_data[0])) SIGNED_CONTENT = "".join(SIGNED_CONTENT).encode("UTF-8") # 使用associate请求获得的mac_key与SIGNED_CONTENT进行assoc_type hash, # 检查是否与OpenID Server返回的一致 SIGNED_CONTENT_SIG = base64.b64encode( hmac.new(base64.b64decode(request.session.get('mac_key', '')), SIGNED_CONTENT, hashlib.sha256).digest()) if SIGNED_CONTENT_SIG != OPENID_RESPONSE['openid.sig'][0]: return '认证失败,请重新登录验证' request.session.pop('mac_key', None) email = request.GET.get('openid.sreg.email', '') fullname = request.GET.get('openid.sreg.fullname', '') next_url = request.GET.get('next', '/') login_user = User.objects.filter(username__iexact=email) if login_user.exists(): login_user = login_user[0] login_user.set_password("sentry_netease_openid_pwd") login_user.name = fullname # update by hzwangzhiwei @20160329 login_user.save() else: #不存在数据,则增加数据数用户表 login_user = User(username=email, name=fullname, email=email) login_user.set_password("sentry_netease_openid_pwd") login_user.save() #save to db # 如果不存在将这个人加入到组织member表中 if not OrganizationMember.objects.filter( user=login_user, organization=Organization.get_default()).exists(): # 同时给他们默认的trace收集 # 将用户到组织中 orgMember = OrganizationMember(user=login_user, organization=Organization.get_default()) orgMember.save() orgMember = OrganizationMember.objects.get( user=login_user, organization=Organization.get_default()) # 保存组织者到第一个小组 orgMemTeam = OrganizationMemberTeam(organizationmember=orgMember, team=Team.objects.get(id=1)) orgMemTeam.save() # HACK: grab whatever the first backend is and assume it works login_user.backend = settings.AUTHENTICATION_BACKENDS[0] auth.login(request, login_user) # can_register should only allow a single registration request.session.pop('can_register', None) request.session.pop('needs_captcha', None) return HttpResponseRedirect(next_url)
def delete(self, request, organization, member_id, team_slug): """ Leave a team Leave a team. """ try: om = self._get_member(request, organization, member_id) except OrganizationMember.DoesNotExist: raise ResourceDoesNotExist if not self._can_access(request, om): return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400) try: team = Team.objects.get( organization=organization, slug=team_slug, ) except Team.DoesNotExist: raise ResourceDoesNotExist try: omt = OrganizationMemberTeam.objects.get( team=team, organizationmember=om, ) except OrganizationMemberTeam.DoesNotExist: # we need to create the row in order to handle superusers leaving a # team which they were never a member for (therefor there was never # a matching row) omt = OrganizationMemberTeam( team=team, organizationmember=om, # setting this to true ensures it gets saved below is_active=True, ) if omt.is_active: omt.is_active = False omt.save() self.create_audit_entry( request=request, organization=organization, target_object=omt.id, target_user=om.user, event=AuditLogEntryEvent.MEMBER_LEAVE_TEAM, data=omt.get_audit_log_data(), ) return Response(serialize( team, request.user, TeamWithProjectsSerializer()), status=200)
def save_team_assignments(self, organization_member): OrganizationMemberTeam.objects.filter(organizationmember=organization_member).delete() OrganizationMemberTeam.objects.bulk_create([ OrganizationMemberTeam(team=team, organizationmember=organization_member) for team in self.cleaned_data['teams'] ])
def save_team_assignments(self, organization_member, teams): # teams may be empty OrganizationMemberTeam.objects.filter( organizationmember=organization_member).delete() OrganizationMemberTeam.objects.bulk_create([ OrganizationMemberTeam(team=team, organizationmember=organization_member) for team in teams ])
def sentry_update_team_member(team, organization_member): model = sentry_find_team_member(team, organization_member) existing = model is not None if not existing: model = OrganizationMemberTeam() model.organizationmember = organization_member model.team = team model.save() return model, existing
def delete(self, request, organization, member_id, team_slug): """ Leave a team Leave a team. """ try: om = self._get_member(request, organization, member_id) except OrganizationMember.DoesNotExist: raise ResourceDoesNotExist if not self._can_access(request, om): return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400) try: team = Team.objects.get( organization=organization, slug=team_slug, ) except Team.DoesNotExist: raise ResourceDoesNotExist try: omt = OrganizationMemberTeam.objects.get( team=team, organizationmember=om, ) except OrganizationMemberTeam.DoesNotExist: # we need to create the row in order to handle superusers leaving a # team which they were never a member for (therefor there was never # a matching row) omt = OrganizationMemberTeam( team=team, organizationmember=om, # setting this to true ensures it gets saved below is_active=True, ) if omt.is_active: omt.is_active = False omt.save() self.create_audit_entry( request=request, organization=organization, target_object=omt.id, target_user=om.user, event=AuditLogEntryEvent.MEMBER_LEAVE_TEAM, data=omt.get_audit_log_data(), ) return Response(serialize(team, request.user, TeamWithProjectsSerializer()), status=200)
def put(self, request: Request, organization, member_id) -> Response: try: om = self._get_member(request, organization, member_id) except OrganizationMember.DoesNotExist: raise ResourceDoesNotExist serializer = OrganizationMemberSerializer(data=request.data, partial=True) if not serializer.is_valid(): return Response(status=400) try: auth_provider = AuthProvider.objects.get(organization=organization) auth_provider = auth_provider.get_provider() except AuthProvider.DoesNotExist: auth_provider = None allowed_roles = None result = serializer.validated_data # XXX(dcramer): if/when this expands beyond reinvite we need to check # access level if result.get("reinvite"): if om.is_pending: if ratelimits.for_organization_member_invite( organization=organization, email=om.email, user=request.user, auth=request.auth, ): metrics.incr( "member-invite.attempt", instance="rate_limited", skip_internal=True, sample_rate=1.0, ) return Response({"detail": ERR_RATE_LIMITED}, status=429) if result.get("regenerate"): if request.access.has_scope("member:admin"): om.regenerate_token() om.save() else: return Response({"detail": ERR_INSUFFICIENT_SCOPE}, status=400) if om.token_expired: return Response({"detail": ERR_EXPIRED}, status=400) om.send_invite_email() elif auth_provider and not getattr(om.flags, "sso:linked"): om.send_sso_link_email(request.user, auth_provider) else: # TODO(dcramer): proper error message return Response({"detail": ERR_UNINVITABLE}, status=400) if "teams" in result: # dupe code from member_index # ensure listed teams are real teams teams = list( Team.objects.filter(organization=organization, status=TeamStatus.VISIBLE, slug__in=result["teams"])) if len(set(result["teams"])) != len(teams): return Response({"teams": "Invalid team"}, status=400) with transaction.atomic(): # teams may be empty OrganizationMemberTeam.objects.filter( organizationmember=om).delete() OrganizationMemberTeam.objects.bulk_create([ OrganizationMemberTeam(team=team, organizationmember=om) for team in teams ]) if result.get("role"): _, allowed_roles = get_allowed_roles(request, organization) allowed_role_ids = {r.id for r in allowed_roles} # A user cannot promote others above themselves if result["role"] not in allowed_role_ids: return Response( { "role": "You do not have permission to assign the given role." }, status=403) # A user cannot demote a superior if om.role not in allowed_role_ids: return Response( { "role": "You do not have permission to assign a role to the given user." }, status=403, ) if om.user == request.user and (result["role"] != om.role): return Response( {"detail": "You cannot make changes to your own role."}, status=400) om.update(role=result["role"]) self.create_audit_entry( request=request, organization=organization, target_object=om.id, target_user=om.user, event=AuditLogEntryEvent.MEMBER_EDIT, data=om.get_audit_log_data(), ) context = self._serialize_member(om, request, allowed_roles) return Response(context)
def post(self, request, organization, member_id, team_slug): """ Join a team Join or request access to a team. If the user is already a member of the team, this will simply return a 204. If the user needs permission to join the team, an access request will be generated and the returned status code will be 202. """ try: om = self._get_member(request, organization, member_id) except OrganizationMember.DoesNotExist: raise ResourceDoesNotExist if not self._can_access(request, om): return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400) try: team = Team.objects.get( organization=organization, slug=team_slug, ) except Team.DoesNotExist: raise ResourceDoesNotExist if not om.has_global_access: try: omt = OrganizationMemberTeam.objects.get( team=team, organizationmember=om, ) except OrganizationMemberTeam.DoesNotExist: # TODO(dcramer): this should create a pending request and # return a 202 if not organization.flags.allow_joinleave: omt, created = OrganizationAccessRequest.objects.get_or_create( team=team, member=om, ) if created: omt.send_request_email() return Response(status=202) omt = OrganizationMemberTeam( team=team, organizationmember=om, is_active=False, ) if omt.is_active: return Response(status=204) else: try: omt = OrganizationMemberTeam.objects.get( team=team, organizationmember=om, ) except OrganizationMemberTeam.DoesNotExist: # if the relationship doesnt exist, they're already a member return Response(status=204) omt.is_active = True omt.save() self.create_audit_entry( request=request, organization=organization, target_object=omt.id, target_user=om.user, event=AuditLogEntryEvent.MEMBER_JOIN_TEAM, data=omt.get_audit_log_data(), ) return Response(serialize( team, request.user, TeamWithProjectsSerializer()), status=201)
def delete(self, request, organization, member_id, team_slug): """ Leave a team Leave a team. """ try: om = self._get_member(request, organization, member_id) except OrganizationMember.DoesNotExist: raise ResourceDoesNotExist if not self._can_access(request, om): return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400) try: team = Team.objects.get( organization=organization, slug=team_slug, ) except Team.DoesNotExist: raise ResourceDoesNotExist if not om.has_global_access: try: omt = OrganizationMemberTeam.objects.get( team=team, organizationmember=om, ) except OrganizationMemberTeam.DoesNotExist: # if the relationship doesnt exist, they're already a member return Response(serialize( team, request.user, TeamWithProjectsSerializer()), status=200) else: try: omt = OrganizationMemberTeam.objects.get( team=team, organizationmember=om, is_active=True, ) except OrganizationMemberTeam.DoesNotExist: omt = OrganizationMemberTeam( team=team, organizationmember=om, is_active=True, ) if omt.is_active: omt.is_active = False omt.save() self.create_audit_entry( request=request, organization=organization, target_object=omt.id, target_user=om.user, event=AuditLogEntryEvent.MEMBER_LEAVE_TEAM, data=omt.get_audit_log_data(), ) return Response(serialize( team, request.user, TeamWithProjectsSerializer()), status=200)
def put(self, request, organization, member_id): try: om = self._get_member(request, organization, member_id) except OrganizationMember.DoesNotExist: raise ResourceDoesNotExist serializer = OrganizationMemberSerializer(data=request.DATA, partial=True) if not serializer.is_valid(): return Response(status=400) try: auth_provider = AuthProvider.objects.get(organization=organization) auth_provider = auth_provider.get_provider() except AuthProvider.DoesNotExist: auth_provider = None allowed_roles = None result = serializer.object # XXX(dcramer): if/when this expands beyond reinvite we need to check # access level if result.get('reinvite'): if om.is_pending: if result.get('regenerate'): if request.access.has_scope('member:admin'): om.update(token=om.generate_token()) else: return Response({'detail': ERR_INSUFFICIENT_SCOPE}, status=400) om.send_invite_email() elif auth_provider and not getattr(om.flags, 'sso:linked'): om.send_sso_link_email(request.user, auth_provider) else: # TODO(dcramer): proper error message return Response({'detail': ERR_UNINVITABLE}, status=400) if auth_provider: sso_enabled.send(organization=organization, sender=request.user) if result.get('teams'): # dupe code from member_index # ensure listed teams are real teams teams = list( Team.objects.filter( organization=organization, status=TeamStatus.VISIBLE, slug__in=result['teams'], )) if len(set(result['teams'])) != len(teams): return Response({'teams': 'Invalid team'}, status=400) with transaction.atomic(): # teams may be empty OrganizationMemberTeam.objects.filter( organizationmember=om).delete() OrganizationMemberTeam.objects.bulk_create([ OrganizationMemberTeam(team=team, organizationmember=om) for team in teams ]) if result.get('role'): _, allowed_roles = get_allowed_roles(request, organization) if not result['role'] in {r.id for r in allowed_roles}: return Response( { 'role': 'You do not have permission to invite that role.' }, status=403) om.update(role=result['role']) context = self._serialize_member(om, request, allowed_roles) return Response(context)
def put(self, request, organization, member_id): try: om = self._get_member(request, organization, member_id) except OrganizationMember.DoesNotExist: raise ResourceDoesNotExist serializer = OrganizationMemberSerializer( data=request.DATA, partial=True) if not serializer.is_valid(): return Response(status=400) try: auth_provider = AuthProvider.objects.get(organization=organization) auth_provider = auth_provider.get_provider() except AuthProvider.DoesNotExist: auth_provider = None allowed_roles = None result = serializer.object # XXX(dcramer): if/when this expands beyond reinvite we need to check # access level if result.get('reinvite'): if om.is_pending: if result.get('regenerate'): if request.access.has_scope('member:admin'): om.update(token=om.generate_token()) else: return Response({'detail': ERR_INSUFFICIENT_SCOPE}, status=400) om.send_invite_email() elif auth_provider and not getattr(om.flags, 'sso:linked'): om.send_sso_link_email(request.user, auth_provider) else: # TODO(dcramer): proper error message return Response({'detail': ERR_UNINVITABLE}, status=400) if result.get('teams'): # dupe code from member_index # ensure listed teams are real teams teams = list(Team.objects.filter( organization=organization, status=TeamStatus.VISIBLE, slug__in=result['teams'], )) if len(set(result['teams'])) != len(teams): return Response({'teams': 'Invalid team'}, status=400) with transaction.atomic(): # teams may be empty OrganizationMemberTeam.objects.filter( organizationmember=om).delete() OrganizationMemberTeam.objects.bulk_create( [ OrganizationMemberTeam( team=team, organizationmember=om) for team in teams ] ) if result.get('role'): _, allowed_roles = get_allowed_roles(request, organization) allowed_role_ids = {r.id for r in allowed_roles} # A user cannot promote others above themselves if result['role'] not in allowed_role_ids: return Response( {'role': 'You do not have permission to assign the given role.'}, status=403) # A user cannot demote a superior if om.role not in allowed_role_ids: return Response( {'role': 'You do not have permission to assign a role to the given user.'}, status=403) if om.user == request.user and (result['role'] != om.role): return Response( {'detail': 'You cannot make changes to your own role.'}, status=400) om.update(role=result['role']) self.create_audit_entry( request=request, organization=organization, target_object=om.id, target_user=om.user, event=AuditLogEntryEvent.MEMBER_EDIT, data=om.get_audit_log_data(), ) context = self._serialize_member(om, request, allowed_roles) return Response(context)
def post(self, request, organization, member_id, team_slug): """ Join a team Join or request access to a team. If the user is already a member of the team, this will simply return a 204. If the user needs permission to join the team, an access request will be generated and the returned status code will be 202. """ try: om = OrganizationMember.objects.filter( organization=organization, id=member_id, ).select_related('user').get() except OrganizationMember.DoesNotExist: raise ResourceDoesNotExist if not self._can_access(request, om): return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400) try: team = Team.objects.get( organization=organization, slug=team_slug, ) except Team.DoesNotExist: raise ResourceDoesNotExist if not om.has_global_access: try: omt = OrganizationMemberTeam.objects.get( team=team, organizationmember=om, ) except OrganizationMemberTeam.DoesNotExist: # TODO(dcramer): this should create a pending request and # return a 202 if not organization.flags.allow_joinleave: omt, created = OrganizationAccessRequest.objects.get_or_create( team=team, member=om, ) if created: omt.send_request_email() return Response(status=202) omt = OrganizationMemberTeam( team=team, organizationmember=om, is_active=False, ) if omt.is_active: return Response(status=204) else: try: omt = OrganizationMemberTeam.objects.get( team=team, organizationmember=om, ) except OrganizationMemberTeam.DoesNotExist: # if the relationship doesnt exist, they're already a member return Response(status=204) omt.is_active = True omt.save() AuditLogEntry.objects.create( organization=organization, actor=request.user, ip_address=request.META['REMOTE_ADDR'], target_object=omt.id, target_user=request.user, event=AuditLogEntryEvent.MEMBER_JOIN_TEAM, data=omt.get_audit_log_data(), ) return Response(serialize(team), status=201)
def delete(self, request, organization, member_id, team_slug): """ Leave a team Leave a team. """ try: om = OrganizationMember.objects.filter( organization=organization, id=member_id, ).select_related('user').get() except OrganizationMember.DoesNotExist: raise ResourceDoesNotExist if not self._can_access(request, om): return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400) try: team = Team.objects.get( organization=organization, slug=team_slug, ) except Team.DoesNotExist: raise ResourceDoesNotExist if not om.has_global_access: try: omt = OrganizationMemberTeam.objects.get( team=team, organizationmember=om, ) except OrganizationMemberTeam.DoesNotExist: # if the relationship doesnt exist, they're already a member return Response(status=204) else: try: omt = OrganizationMemberTeam.objects.get( team=team, organizationmember=om, is_active=True, ) except OrganizationMemberTeam.DoesNotExist: omt = OrganizationMemberTeam( team=team, organizationmember=om, is_active=True, ) if omt.is_active: omt.is_active = False omt.save() AuditLogEntry.objects.create( organization=organization, actor=request.user, ip_address=request.META['REMOTE_ADDR'], target_object=omt.id, target_user=request.user, event=AuditLogEntryEvent.MEMBER_LEAVE_TEAM, data=omt.get_audit_log_data(), ) return Response(status=204)
def delete(self, request, organization, member_id, team_slug): """ Leave a team Leave a team. """ try: om = self._get_member(request, organization, member_id) except OrganizationMember.DoesNotExist: raise ResourceDoesNotExist if not self._can_access(request, om): return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400) try: team = Team.objects.get( organization=organization, slug=team_slug, ) except Team.DoesNotExist: raise ResourceDoesNotExist if not om.has_global_access: try: omt = OrganizationMemberTeam.objects.get( team=team, organizationmember=om, ) except OrganizationMemberTeam.DoesNotExist: # if the relationship doesnt exist, they're already a member return Response(serialize(team, request.user, TeamWithProjectsSerializer()), status=200) else: try: omt = OrganizationMemberTeam.objects.get( team=team, organizationmember=om, is_active=True, ) except OrganizationMemberTeam.DoesNotExist: omt = OrganizationMemberTeam( team=team, organizationmember=om, is_active=True, ) if omt.is_active: omt.is_active = False omt.save() self.create_audit_entry( request=request, organization=organization, target_object=omt.id, target_user=om.user, event=AuditLogEntryEvent.MEMBER_LEAVE_TEAM, data=omt.get_audit_log_data(), ) return Response(serialize(team, request.user, TeamWithProjectsSerializer()), status=200)