Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/zproject/backends.py

2017 lines
91 KiB
Python
Raw Normal View History

auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
# Documentation for Zulip's authentication backends is split across a few places:
#
# * https://zulip.readthedocs.io/en/latest/production/authentication-methods.html and
# zproject/prod_settings_template.py have user-level configuration documentation.
docs: Reorganize auth and migrations subsystems. - Moves "Authentication in the development environment" from subsystems to "development/authentication.md". - Moves "Renumbering migrations" to a section within "Schema migrations".
2019-11-07 18:29:05 +01:00
# * https://zulip.readthedocs.io/en/latest/development/authentication.html
# has developer-level documentation, especially on testing authentication backends
# in the Zulip development environment.
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
#
# Django upstream's documentation for authentication backends is also
# helpful background. The most important detail to understand for
# reading this file is that the Django authenticate() function will
# call the authenticate methods of all backends registered in
# settings.AUTHENTICATION_BACKENDS that have a function signature
# matching the args/kwargs passed in the authenticate() call.
saml: Gracefully handle bad SAMLResponses.
2020-05-22 15:26:17 +02:00
import binascii
ldap: Fix avatar sync not working with the S3 backend. This fixes an issue that caused LDAP synchronization to fail for avatars. The problem occurred due to the lack of a 'name' attribute on the BytesIO object that we pass to the upload backend (which is only used in the S3 backend for computing Content-Type). Fixes #12411.
2019-06-07 23:36:19 +02:00
import copy
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
import logging
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
from abc import ABC, abstractmethod
from typing import Any, Callable, Dict, List, Optional, Set, Tuple, Type, TypeVar, Union, cast
ldap: Fix avatar sync not working with the S3 backend. This fixes an issue that caused LDAP synchronization to fail for avatars. The problem occurred due to the lack of a 'name' attribute on the BytesIO object that we pass to the upload backend (which is only used in the S3 backend for computing Content-Type). Fixes #12411.
2019-06-07 23:36:19 +02:00
import magic
python: Replace ujson with orjson. Fixes #6507. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-08-07 01:09:47 +02:00
import orjson
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
from decorator import decorator
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
from django.conf import settings
auth: Add ExternalAuthResult to manage data in authentication flows. This new type eliminates a bunch of messy code that previously involved passing around long lists of mixed positional keyword and arguments, instead using a consistent data object for communicating about the state of an external authentication (constructed in backends.py). The result is a significantly more readable interface between zproject/backends.py and zerver/views/auth.py, though likely more could be done. This has the side effect of renaming fields for internally passed structures from name->full_name, next->redirect_to; this results in most of the test codebase changes. Modified by tabbott to add comments and collaboratively rewrite the initialization logic.
2020-02-23 18:58:08 +01:00
from django.contrib.auth import authenticate, get_backends
SSO / REMOTE_USER support (imported from commit 4f4fad7af5d3c6099cac95d7708338c182626d72)
2013-11-04 23:16:46 +01:00
from django.contrib.auth.backends import RemoteUserBackend
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
from django.core.exceptions import ValidationError
from django.core.validators import validate_email
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
from django.dispatch import Signal, receiver
from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
from django.shortcuts import render
auth: Redirect deactivated users with error for social auth backend. Fixes #11937. Also extracts the error message for a deactivated account to `DEACTIVATED_ACCOUNT_ERROR`.
2019-04-12 06:24:58 +02:00
from django.urls import reverse
auth: Implement server side of desktop_flow_otp.
2020-01-23 14:22:28 +01:00
from django.utils.translation import ugettext as _
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
from django_auth_ldap.backend import LDAPBackend, LDAPReverseEmailSearch, _LDAPUser, ldap_error
saml: Gracefully handle bad SAMLResponses.
2020-05-22 15:26:17 +02:00
from lxml.etree import XMLSyntaxError
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
from onelogin.saml2.errors import OneLogin_Saml2_Error
saml: Figure out the idp from SAMLResponse. Instead of plumbing the idp to /complete/saml/ through redis, it's much more natural to just figure it out from the SAMLResponse, because the information is there. This is also a preparatory step for adding IdP-initiated sign in, for which it is important for /complete/saml/ to be able to figure out which IdP the request is coming from.
2020-05-22 18:44:29 +02:00
from onelogin.saml2.response import OneLogin_Saml2_Response
saml: Fix incorrect settings object being passed in get_issuing_idp. Fixes #15904. settings is supposed to be a proper OneLogin_Saml2_Settings object, rather than an empty dictionary. This bug wasn't easy to spot because the codepath that causes this to demonstrate runs only if the SAMLResponse contains encrypted assertions.
2020-07-25 14:31:45 +02:00
from onelogin.saml2.settings import OneLogin_Saml2_Settings
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
from requests import HTTPError
from social_core.backends.apple import AppleIdAuth
auth: Add support for Azure Active Directory authentication. This takes advantage of all of our work on making the python-social-auth integration reusable for other authentication backends.
2018-10-05 14:32:02 +02:00
from social_core.backends.azuread import AzureADOAuth2
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
from social_core.backends.base import BaseAuth
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
from social_core.backends.github import GithubOAuth2, GithubOrganizationOAuth2, GithubTeamOAuth2
from social_core.backends.gitlab import GitLabOAuth2
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
from social_core.backends.google import GoogleOAuth2
saml: Add option to restrict subdomain access based on SAML attributes. Adds the ability to set a SAML attribute which contains a list of subdomains the user is allowed to access. This allows a Zulip server with multiple organizations to filter using SAML attributes which organization each user can access. Cleaned up and adapted by Mateusz Mandera to fit our conventions and needs more. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2020-06-19 21:44:29 +02:00
from social_core.backends.saml import SAMLAuth, SAMLIdentityProvider
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
from social_core.exceptions import (
auth: Add native flow support for Apple authentication. Overrides some of internal functions of python-social-auth to handle native flow. Credits to Mateusz Mandera for the overridden functions. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2020-06-09 18:17:32 +02:00
AuthCanceled,
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
AuthFailed,
AuthMissingParameter,
AuthStateForbidden,
SocialAuthBaseException,
)
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
from social_core.pipeline.partial import partial
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
from typing_extensions import TypedDict
from zxcvbn import zxcvbn
github: Pass proper parameters to authenticate. Django tries to authenticate against all backends one by one. The authenticate() function of GitHub backend used to take *args and **kwargs arguments due to which it could be called against any set of arguments. Django uses arguments to differentiate authenticate() methods.
2017-03-24 10:48:52 +01:00
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
from zerver.decorator import client_is_exempt_from_rate_limiting
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
from zerver.lib.actions import (
do_create_user,
do_deactivate_user,
do_reactivate_user,
do_update_user_custom_profile_data_if_changed,
)
from zerver.lib.avatar import avatar_url, is_avatar_new
ldap: Fix LDAP avatar synchronization to check if avatar has changed. When "manage.py sync_ldap_user_data" is run, user avatars are now only updated if they have changed in LDAP. Fixes #12381.
2019-06-28 00:10:58 +02:00
from zerver.lib.avatar_hash import user_avatar_content_hash
users: Modify do_create_user and create_user to accept role. We change do_create_user and create_user to accept role as a parameter instead of 'is_realm_admin' and 'is_guest'. These changes are done to minimize data conversions between role and boolean fields.
2020-06-03 01:11:36 +02:00
from zerver.lib.create_user import get_role_for_new_user
ldap: Extract `init_fakeldap()`.
2019-01-12 18:12:11 +01:00
from zerver.lib.dev_ldap_directory import init_fakeldap
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
from zerver.lib.email_validation import email_allowed_for_realm, validate_email_not_already_in_realm
auth: Ensure only one of mobile and desktop otps in validate_otp_params. validate_otp_params needs to be moved to backends.py, because as of this commit it'll be used both there and in views.auth - and import from views.auth to backends.py causes circular import issue.
2020-02-01 17:45:22 +01:00
from zerver.lib.mobile_auth_otp import is_valid_otp
rate_limit: Move functions called by external code to RateLimitedObject.
2020-03-04 14:05:25 +01:00
from zerver.lib.rate_limiter import RateLimitedObject
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
from zerver.lib.redis_utils import get_dict_from_redis, get_redis_client, put_dict_in_redis
backends: Sort imports.
2017-10-24 17:59:39 +02:00
from zerver.lib.request import JsonableError
saml: Support IdP-initiated SSO.
2020-05-23 15:21:19 +02:00
from zerver.lib.subdomains import get_subdomain
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
from zerver.lib.users import check_full_name, validate_user_custom_profile_field
from zerver.models import (
CustomProfileField,
DisposableEmailError,
DomainNotAllowedForRealmError,
EmailContainsPlusError,
PreregistrationUser,
Realm,
UserProfile,
custom_profile_fields_for_realm,
email_to_username,
get_realm,
get_user_by_delivery_email,
get_user_profile_by_id,
remote_user_to_email,
supported_auth_backends,
)
backends: Sort imports.
2017-10-24 17:59:39 +02:00
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
redis_client = get_redis_client()
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
# This first batch of methods is used by other code in Zulip to check
# whether a given authentication backend is enabled for a given realm.
# In each case, we both needs to check at the server level (via
# `settings.AUTHENTICATION_BACKENDS`, queried via
# `django.contrib.auth.get_backends`) and at the realm level (via the
# `Realm.authentication_methods` BitField).
zproject: Change use of typing.Text to str.
2018-05-10 18:53:55 +02:00
def pad_method_dict(method_dict: Dict[str, bool]) -> Dict[str, bool]:
auth: Refactor auth backend enabled checking code.
2016-11-06 23:44:45 +01:00
"""Pads an authentication methods dict to contain all auth backends
supported by the software, regardless of whether they are
configured on this server"""
for key in AUTH_BACKEND_NAME_MAP:
if key not in method_dict:
method_dict[key] = False
return method_dict
zproject: Change use of typing.Text to str.
2018-05-10 18:53:55 +02:00
def auth_enabled_helper(backends_to_check: List[str], realm: Optional[Realm]) -> bool:
auth: Make supported authentication backends a bitfield on realm. This makes it possible to configure only certain authentication methods to be enabled on a per-realm basis. Note that the authentication_methods_dict function (which checks what backends are supported on the realm) requires an in function import due to a circular dependency.
2016-11-02 21:41:10 +01:00
if realm is not None:
enabled_method_dict = realm.authentication_methods_dict()
pad_method_dict(enabled_method_dict)
else:
python: Modernize legacy Python 2 syntax with pyupgrade. Generated by `pyupgrade --py3-plus --keep-percent-format` on all our Python code except `zthumbor` and `zulip-ec2-configure-interfaces`, followed by manual indentation fixes. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-09 21:51:58 +02:00
enabled_method_dict = {method: True for method in Realm.AUTHENTICATION_FLAGS}
auth: Make supported authentication backends a bitfield on realm. This makes it possible to configure only certain authentication methods to be enabled on a per-realm basis. Note that the authentication_methods_dict function (which checks what backends are supported on the realm) requires an in function import due to a circular dependency.
2016-11-02 21:41:10 +01:00
pad_method_dict(enabled_method_dict)
backends: Further optimize auth_enabled_helper. This avoids repeatedly calling a Django auth function that takes a few hundred microseconds to run in auth_enabled_helper, which itself is currently called 14 times in every request to pages using common_context.
2019-03-17 22:25:47 +01:00
for supported_backend in supported_auth_backends():
auth: Refactor auth backend enabled checking code.
2016-11-06 23:44:45 +01:00
for backend_name in backends_to_check:
backend = AUTH_BACKEND_NAME_MAP[backend_name]
if enabled_method_dict[backend_name] and isinstance(supported_backend, backend):
return True
Disable password change when SSO is the only login option (imported from commit fd1a14237e2d6ea574331ed178bfc0db5beb18c6)
2013-11-04 23:42:31 +01:00
return False
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def ldap_auth_enabled(realm: Optional[Realm]=None) -> bool:
zproject: Remove u prefix from strings.
2017-11-02 08:05:56 +01:00
return auth_enabled_helper(['LDAP'], realm)
auth: Separate email_auth_enabled from ldap_auth_enabled.
2016-11-07 00:04:59 +01:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def email_auth_enabled(realm: Optional[Realm]=None) -> bool:
zproject: Remove u prefix from strings.
2017-11-02 08:05:56 +01:00
return auth_enabled_helper(['Email'], realm)
auth: Separate email_auth_enabled from ldap_auth_enabled.
2016-11-07 00:04:59 +01:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def password_auth_enabled(realm: Optional[Realm]=None) -> bool:
auth: Separate email_auth_enabled from ldap_auth_enabled.
2016-11-07 00:04:59 +01:00
return ldap_auth_enabled(realm) or email_auth_enabled(realm)
Add a new dev login page for logging in without a password on the dev VM. (imported from commit ac8f2504771c9907b7e92dc91cec5f7220ce951b)
2015-08-19 02:58:20 +02:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def dev_auth_enabled(realm: Optional[Realm]=None) -> bool:
zproject: Remove u prefix from strings.
2017-11-02 08:05:56 +01:00
return auth_enabled_helper(['Dev'], realm)
auth: Refactor auth backend enabled checking code.
2016-11-06 23:44:45 +01:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def google_auth_enabled(realm: Optional[Realm]=None) -> bool:
zproject: Remove u prefix from strings.
2017-11-02 08:05:56 +01:00
return auth_enabled_helper(['Google'], realm)
auth: Refactor auth backend enabled checking code.
2016-11-06 23:44:45 +01:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def github_auth_enabled(realm: Optional[Realm]=None) -> bool:
zproject: Remove u prefix from strings.
2017-11-02 08:05:56 +01:00
return auth_enabled_helper(['GitHub'], realm)
Add a new dev login page for logging in without a password on the dev VM. (imported from commit ac8f2504771c9907b7e92dc91cec5f7220ce951b)
2015-08-19 02:58:20 +02:00
auth: Add support for GitLab authentication. With some tweaks by tabbott to the documentation and comments. Fixes #13694.
2020-01-31 18:19:53 +01:00
def gitlab_auth_enabled(realm: Optional[Realm]=None) -> bool:
return auth_enabled_helper(['GitLab'], realm)
auth: Add Sign in with Apple support. This implementation overrides some of PSA's internal backend functions to handle `state` value with redis as the standard way doesn't work because of apple sending required details in the form of POST request. Includes a mixin test class that'll be useful for testing Native auth flow. Thanks to Mateusz Mandera for the idea of using redis and other important work on this. Documentation rewritten by tabbott. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2020-06-09 12:04:21 +02:00
def apple_auth_enabled(realm: Optional[Realm]=None) -> bool:
return auth_enabled_helper(['Apple'], realm)
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
def saml_auth_enabled(realm: Optional[Realm]=None) -> bool:
return auth_enabled_helper(['SAML'], realm)
auth: Rename any_oauth_backend_enabled to any_social_backend_enabled. any_oauth_backend_enabled is all about whether we will have extra buttons on the login/register pages for logging in with some non-native backends (like Github, Google etc.). And this isn't about specifically oauth backends, but generally "social" backends - that may not rely specifically rely on Oauth. This will have more concrete relevance when SAML authentication is added - which will be a "social" backend, requiring an additional button, but not Oauth-based.
2019-09-19 03:19:45 +02:00
def any_social_backend_enabled(realm: Optional[Realm]=None) -> bool:
Redesign login and registration pages. This completes a major redesign of the Zulip login and registration pages, making them look much more slick and modern. Major features include: * Display of the realm name, description and icon on the login page and registration pages in the subdomains case. * Much slicker looking buttons and input fields. * A new overall style for the exterior of these portico pages.
2017-04-20 21:02:56 +02:00
"""Used by the login page process to determine whether to show the
'OR' for login with Google"""
auth: Clean up SOCIAL_AUTH_BACKENDS / OAUTH_BACKEND_NAMES lists. SOCIAL_AUTH_BACKEND / OAUTH_BACKEND_NAMES are currently the same backends. All Oauth backends are social, and all social are oauth. So we get rid of OAUTH_BACKEND_NAMES and use only SOCIAL_AUTH_BACKENDS.
2019-09-19 03:14:12 +02:00
social_backend_names = [social_auth_subclass.auth_backend_name
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
for social_auth_subclass in EXTERNAL_AUTH_METHODS]
auth: Clean up SOCIAL_AUTH_BACKENDS / OAUTH_BACKEND_NAMES lists. SOCIAL_AUTH_BACKEND / OAUTH_BACKEND_NAMES are currently the same backends. All Oauth backends are social, and all social are oauth. So we get rid of OAUTH_BACKEND_NAMES and use only SOCIAL_AUTH_BACKENDS.
2019-09-19 03:14:12 +02:00
return auth_enabled_helper(social_backend_names, realm)
Redesign login and registration pages. This completes a major redesign of the Zulip login and registration pages, making them look much more slick and modern. Major features include: * Display of the realm name, description and icon on the login page and registration pages in the subdomains case. * Much slicker looking buttons and input fields. * A new overall style for the exterior of these portico pages.
2017-04-20 21:02:56 +02:00
saml: Sanity-check configuration in both login and signup codepaths.
2019-10-26 01:51:48 +02:00
def redirect_to_config_error(error_type: str) -> HttpResponseRedirect:
python: Convert percent formatting to Python 3.6 f-strings. Generated by pyupgrade --py36-plus. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-10 06:41:04 +02:00
return HttpResponseRedirect(f"/config-error/{error_type}")
saml: Sanity-check configuration in both login and signup codepaths.
2019-10-26 01:51:48 +02:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def require_email_format_usernames(realm: Optional[Realm]=None) -> bool:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
if ldap_auth_enabled(realm):
if settings.LDAP_EMAIL_ATTR or settings.LDAP_APPEND_DOMAIN:
return False
return True
backends: Extract useful is_user_active function. This logic can be useful elsewhere, for checking whether user_profile is active.
2019-09-21 01:32:59 +02:00
def is_user_active(user_profile: UserProfile, return_data: Optional[Dict[str, Any]]=None) -> bool:
if not user_profile.is_active:
if return_data is not None:
if user_profile.is_mirror_dummy:
# Record whether it's a mirror dummy account
return_data['is_mirror_dummy'] = True
return_data['inactive_user'] = True
auth: Log when a user tries to login with deactivated account. Helps to see if users are often trying to login with deactived accounts. A use case: Trackdown whether any deactivated bot users are still trying to access the API. This implementation adds a new key `inactive_user_id` to `return_data` in the function `is_user_active` which check if a `user_profile` is active. This reduces the effort of getting `user_id` just before logging. Modified tests for line coverage.
2020-05-19 22:36:51 +02:00
return_data['inactive_user_id'] = user_profile.id
backends: Extract useful is_user_active function. This logic can be useful elsewhere, for checking whether user_profile is active.
2019-09-21 01:32:59 +02:00
return False
if user_profile.realm.deactivated:
if return_data is not None:
return_data['inactive_realm'] = True
return False
return True
auth: Rewrite DummyAuthBackend to not block email reuse. This require some care to ensure we still provide the same nice error messages for the case of a user who has an account, just not with this organization. Also, we fix the fact that the docstring was (and I think always has been) at best confusing and perhaps even inaccurate.
2017-11-17 22:43:16 +01:00
def common_get_active_user(email: str, realm: Realm,
mypy: Add Optional & check in zproject/backends.py; remove from mypy.ini.
2018-10-27 03:19:49 +02:00
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
"""This is the core common function used by essentially all
authentication backends to check if there's an active user account
with a given email address in the organization, handling both
user-level and realm-level deactivation correctly.
"""
auth: Rewrite DummyAuthBackend to not block email reuse. This require some care to ensure we still provide the same nice error messages for the case of a user who has an account, just not with this organization. Also, we fix the fact that the docstring was (and I think always has been) at best confusing and perhaps even inaccurate.
2017-11-17 22:43:16 +01:00
try:
email: Convert accounts code to use delivery_email. A key part of this is the new helper, get_user_by_delivery_email. Its verbose name is important for clarity; it should help avoid blind copy-pasting of get_user (which we'll also want to rename). Unfortunately, it requires detailed understanding of the context to figure out which one to use; each is used in about half of call sites. Another important note is that this PR doesn't migrate get_user calls in the tests except where not doing so would cause the tests to fail. This probably deserves a follow-up refactor to avoid bugs here.
2018-12-07 00:05:57 +01:00
user_profile = get_user_by_delivery_email(email, realm)
auth: Rewrite DummyAuthBackend to not block email reuse. This require some care to ensure we still provide the same nice error messages for the case of a user who has an account, just not with this organization. Also, we fix the fact that the docstring was (and I think always has been) at best confusing and perhaps even inaccurate.
2017-11-17 22:43:16 +01:00
except UserProfile.DoesNotExist:
# If the user doesn't have an account in the target realm, we
# check whether they might have an account in another realm,
# and if so, provide a helpful error message via
# `invalid_subdomain`.
email: Convert accounts code to use delivery_email. A key part of this is the new helper, get_user_by_delivery_email. Its verbose name is important for clarity; it should help avoid blind copy-pasting of get_user (which we'll also want to rename). Unfortunately, it requires detailed understanding of the context to figure out which one to use; each is used in about half of call sites. Another important note is that this PR doesn't migrate get_user calls in the tests except where not doing so would cause the tests to fail. This probably deserves a follow-up refactor to avoid bugs here.
2018-12-07 00:05:57 +01:00
if not UserProfile.objects.filter(delivery_email__iexact=email).exists():
auth: Rewrite DummyAuthBackend to not block email reuse. This require some care to ensure we still provide the same nice error messages for the case of a user who has an account, just not with this organization. Also, we fix the fact that the docstring was (and I think always has been) at best confusing and perhaps even inaccurate.
2017-11-17 22:43:16 +01:00
return None
if return_data is not None:
return_data['invalid_subdomain'] = True
return None
backends: Extract useful is_user_active function. This logic can be useful elsewhere, for checking whether user_profile is active.
2019-09-21 01:32:59 +02:00
if not is_user_active(user_profile, return_data):
auth: Rewrite DummyAuthBackend to not block email reuse. This require some care to ensure we still provide the same nice error messages for the case of a user who has an account, just not with this organization. Also, we fix the fact that the docstring was (and I think always has been) at best confusing and perhaps even inaccurate.
2017-11-17 22:43:16 +01:00
return None
backends: Extract useful is_user_active function. This logic can be useful elsewhere, for checking whether user_profile is active.
2019-09-21 01:32:59 +02:00
auth: Rewrite DummyAuthBackend to not block email reuse. This require some care to ensure we still provide the same nice error messages for the case of a user who has an account, just not with this organization. Also, we fix the fact that the docstring was (and I think always has been) at best confusing and perhaps even inaccurate.
2017-11-17 22:43:16 +01:00
return user_profile
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
AuthFuncT = TypeVar('AuthFuncT', bound=Callable[..., Optional[UserProfile]])
rate_limiter: Rename authenticate domain to authenticate_by_username. This prepares for adding authenticate_by_ip_address.
2019-12-30 21:17:11 +01:00
rate_limiting_rules = settings.RATE_LIMITING_RULES['authenticate_by_username']
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
class RateLimitedAuthenticationByUsername(RateLimitedObject):
def __init__(self, username: str) -> None:
self.username = username
rate_limit: Add the concept of RateLimiterBackend. This will allow easily swapping and using various implementations of rate-limiting, and separate the implementation logic from RateLimitedObjects.
2020-03-05 13:38:20 +01:00
super().__init__()
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
rate_limit: Rename key_fragment() method to key().
2020-03-06 10:49:04 +01:00
def key(self) -> str:
python: Convert "".format to Python 3.6 f-strings. Generated by pyupgrade --py36-plus --keep-percent-format, but with the NamedTuple changes reverted (see commit ba7906a3c657905fa35bbcfb4e97b053f050272d, #15132). Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-09 00:25:09 +02:00
return f"{type(self).__name__}:{self.username}"
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
def rules(self) -> List[Tuple[int, int]]:
return rate_limiting_rules
def rate_limit_authentication_by_username(request: HttpRequest, username: str) -> None:
rate_limit: Move functions called by external code to RateLimitedObject.
2020-03-04 14:05:25 +01:00
RateLimitedAuthenticationByUsername(username).rate_limit_request(request)
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
def auth_rate_limiting_already_applied(request: HttpRequest) -> bool:
rate_limiter: Store data in request._ratelimits_applied list. The information used to be stored in a request._ratelimit dict, but there's no need for that, and a list is a simpler structure, so this allows us to simplify the plumbing somewhat.
2020-04-01 13:31:20 +02:00
if not hasattr(request, '_ratelimits_applied'):
return False
return any(isinstance(r.entity, RateLimitedAuthenticationByUsername)
for r in request._ratelimits_applied)
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
# Django's authentication mechanism uses introspection on the various authenticate() functions
# defined by backends, so we need a decorator that doesn't break function signatures.
# @decorator does this for us.
# The usual @wraps from functools breaks signatures, so it can't be used here.
@decorator
def rate_limit_auth(auth_func: AuthFuncT, *args: Any, **kwargs: Any) -> Optional[UserProfile]:
if not settings.RATE_LIMITING_AUTHENTICATE:
return auth_func(*args, **kwargs)
auth: Give all backend authenticate() optional request argument. This is required for our migration to Django 2.2. authenticate() definitions need to have that starting with Django 2.1. rate_limit_auth needs to be adjusted to expect the request in the first positional argument instead of a kwarg.
2020-02-04 14:04:10 +01:00
request = args[1]
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
username = kwargs['username']
if not hasattr(request, 'client') or not client_is_exempt_from_rate_limiting(request):
# Django cycles through enabled authentication backends until one succeeds,
# or all of them fail. If multiple backends are tried like this, we only want
# to execute rate_limit_authentication_* once, on the first attempt:
if auth_rate_limiting_already_applied(request):
pass
else:
# Apply rate limiting. If this request is above the limit,
# RateLimited will be raised, interrupting the authentication process.
# From there, the code calling authenticate() can either catch the exception
# and handle it on its own, or it will be processed by RateLimitMiddleware.
rate_limit_authentication_by_username(request, username)
result = auth_func(*args, **kwargs)
if result is not None:
# Authentication succeeded, clear the rate-limiting record.
rate_limit: Move functions called by external code to RateLimitedObject.
2020-03-04 14:05:25 +01:00
RateLimitedAuthenticationByUsername(username).clear_history()
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
return result
zproject: Remove inheritance from object.
2017-11-05 11:31:53 +01:00
class ZulipAuthMixin:
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
"""This common mixin is used to override Django's default behavior for
looking up a logged-in user by ID to use a version that fetches
from memcached before checking the database (avoiding a database
query in most cases).
"""
logging: Set up a different logger for each backend. Adds a top-level logger in `settings.LOGGING` `zulip.auth` with the default handlers `DEFAULT_ZULIP_HANDLERS` and an extra hanlder that writes to `/var/log/zulip/auth.log`. Each auth backend uses it's own logger, `self.logger` which is in form 'zulip.auth.<backend name>'. This way it's clear which auth backend generated the log and is easier to look for all authentication logs in one file. Besides the above mentioned changes, `name` attribute is added to `ZulipAuthMixin` so that these logging kind of calls wouldn't raise any issues when logging is tried in a class without `name` attribute. Also in the tests we use a new way to check if logger calls are made i.e. we use `assertLogs` to test if something is logged. Thanks to Mateusz Mandera for the idea of having a seperate logger for auth backends and suggestion of using `assertLogs`.
2020-06-02 20:20:53 +02:00
name = "undefined"
_logger = None
@property
def logger(self) -> logging.Logger:
if self._logger is None:
self._logger = logging.getLogger(f"zulip.auth.{self.name}")
return self._logger
python: Whitespace fixes from autopep8. Generated by autopep8, with the setup.cfg configuration from #14532. I’m not sure why pycodestyle didn’t already flag these. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:45:30 +02:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def get_user(self, user_profile_id: int) -> Optional[UserProfile]:
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
"""Override the Django method for getting a UserProfile object from
the user_profile_id,."""
Factor out get_user in zproject/backends.py (imported from commit d60b5440722ed596ffbcb81086b2f62d535288dd)
2013-11-01 20:22:12 +01:00
try:
return get_user_profile_by_id(user_profile_id)
except UserProfile.DoesNotExist:
return None
Use LDAP-provided information if available for real names If authoritative data is available from say the LDAP database, we now ignore the POSTed user name, and don't offer it as a form field. We fall back to giving the user a text field if they aren't in LDAP. If users do not have any form fields to fill out, we simply bring them to the app without the registration page, logging them in using a dummy backend. (imported from commit 6bee87430ba46ff753ea3408251e8a80c45c713f)
2013-11-21 04:57:23 +01:00
class ZulipDummyBackend(ZulipAuthMixin):
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
"""Used when we want to log you in without checking any
auth: Rewrite DummyAuthBackend to not block email reuse. This require some care to ensure we still provide the same nice error messages for the case of a user who has an account, just not with this organization. Also, we fix the fact that the docstring was (and I think always has been) at best confusing and perhaps even inaccurate.
2017-11-17 22:43:16 +01:00
authentication (i.e. new user registration or when otherwise
authentication has already been checked earlier in the process).
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
We ensure that this backend only ever successfully authenticates
when explicitly requested by including the use_dummy_backend kwarg.
Use LDAP-provided information if available for real names If authoritative data is available from say the LDAP database, we now ignore the POSTed user name, and don't offer it as a form field. We fall back to giving the user a text field if they aren't in LDAP. If users do not have any form fields to fill out, we simply bring them to the app without the registration page, logging them in using a dummy backend. (imported from commit 6bee87430ba46ff753ea3408251e8a80c45c713f)
2013-11-21 04:57:23 +01:00
"""
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
auth: Give all backend authenticate() optional request argument. This is required for our migration to Django 2.2. authenticate() definitions need to have that starting with Django 2.1. rate_limit_auth needs to be adjusted to expect the request in the first positional argument instead of a kwarg.
2020-02-04 14:04:10 +01:00
def authenticate(self, request: Optional[HttpRequest]=None, *,
username: str, realm: Realm,
backends: Convert authenticate methods to modern type annotations.
2017-11-21 20:47:26 +01:00
use_dummy_backend: bool=False,
mypy: Add Optional & check in zproject/backends.py; remove from mypy.ini.
2018-10-27 03:19:49 +02:00
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
Use LDAP-provided information if available for real names If authoritative data is available from say the LDAP database, we now ignore the POSTed user name, and don't offer it as a form field. We fall back to giving the user a text field if they aren't in LDAP. If users do not have any form fields to fill out, we simply bring them to the app without the registration page, logging them in using a dummy backend. (imported from commit 6bee87430ba46ff753ea3408251e8a80c45c713f)
2013-11-21 04:57:23 +01:00
if use_dummy_backend:
auth: Rewrite DummyAuthBackend to not block email reuse. This require some care to ensure we still provide the same nice error messages for the case of a user who has an account, just not with this organization. Also, we fix the fact that the docstring was (and I think always has been) at best confusing and perhaps even inaccurate.
2017-11-17 22:43:16 +01:00
return common_get_active_user(username, realm, return_data)
Use LDAP-provided information if available for real names If authoritative data is available from say the LDAP database, we now ignore the POSTed user name, and don't offer it as a form field. We fall back to giving the user a text field if they aren't in LDAP. If users do not have any form fields to fill out, we simply bring them to the app without the registration page, logging them in using a dummy backend. (imported from commit 6bee87430ba46ff753ea3408251e8a80c45c713f)
2013-11-21 04:57:23 +01:00
return None
auth: Use zxcvbn to ensure password strength on server side. For a long time, we've been only doing the zxcvbn password strength checks on the browser, which is helpful, but means users could through hackery (or a bug in the frontend validation code) manage to set a too-weak password. We fix this by running our password strength validation on the backend as well, using python-zxcvbn. In theory, a bug in python-zxcvbn could result in it producing a different opinion than the frontend version; if so, it'd be a pretty bad bug in the library, and hopefully we'd hear about it from users, report upstream, and get it fixed that way. Alternatively, we can switch to shelling out to node like we do for KaTeX. Fixes #6880.
2019-11-18 08:11:03 +01:00
def check_password_strength(password: str) -> bool:
"""
Returns True if the password is strong enough,
False otherwise.
"""
if len(password) < settings.PASSWORD_MIN_LENGTH:
return False
if password == '':
# zxcvbn throws an exception when passed the empty string, so
# we need a special case for the empty string password here.
return False
if int(zxcvbn(password)['guesses']) < settings.PASSWORD_MIN_GUESSES:
return False
return True
Factor out get_user in zproject/backends.py (imported from commit d60b5440722ed596ffbcb81086b2f62d535288dd)
2013-11-01 20:22:12 +01:00
class EmailAuthBackend(ZulipAuthMixin):
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
"""
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
Email+Password Authentication Backend (the default).
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
Allows a user to sign in using an email/password pair.
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
"""
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
auth: Add auth_name attribute for non external auth backends. This commit adds `name` attribute for the backends that do not have them. This is just a kind of prep commit in case if we want to use `self.logger.xxxx()` in the future which is dependent on the `name` attribute. But right now these logging calls aren't used anywhere in those backends.
2020-06-03 13:18:08 +02:00
name = 'email'
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
@rate_limit_auth
auth: Give all backend authenticate() optional request argument. This is required for our migration to Django 2.2. authenticate() definitions need to have that starting with Django 2.1. rate_limit_auth needs to be adjusted to expect the request in the first positional argument instead of a kwarg.
2020-02-04 14:04:10 +01:00
def authenticate(self, request: Optional[HttpRequest]=None, *,
username: str, password: str,
authenticate: Remove default values for required parameters. It is now the caller’s responsibility to check that realm is not None. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-05 01:04:48 +02:00
realm: Realm,
backends: Convert authenticate methods to modern type annotations.
2017-11-21 20:47:26 +01:00
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
""" Authenticate a user based on email address as the user name. """
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
if not password_auth_enabled(realm):
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
if return_data is not None:
return_data['password_auth_disabled'] = True
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
return None
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
if not email_auth_enabled(realm):
auth: Separate email_auth_enabled from ldap_auth_enabled.
2016-11-07 00:04:59 +01:00
if return_data is not None:
return_data['email_auth_disabled'] = True
return None
CVE-2019-18933: Fix insecure account creation via social authentication. A bug in Zulip's new user signup process meant that users who registered their account using social authentication (e.g. GitHub or Google SSO) in an organization that also allows password authentication could have their personal API key stolen by an unprivileged attacker, allowing nearly full access to the user's account. Zulip versions between 1.7.0 and 2.0.6 were affected. This commit fixes the original bug and also contains a database migration to fix any users with corrupt `password` fields in the database as a result of the bug. Out of an abundance of caution (and to protect the users of any installations that delay applying this commit), the migration also resets the API keys of any users where Zulip's logs cannot prove the user's API key was not previously stolen via this bug. Resetting those API keys will be inconvenient for users: * Users of the Zulip mobile and terminal apps whose API keys are reset will be logged out and need to login again. * Users using their personal API keys for any other reason will need to re-fetch their personal API key. We discovered this bug internally and don't believe it was disclosed prior to our publishing it through this commit. Because the algorithm for determining which users might have been affected is very conservative, many users who were never at risk will have their API keys reset by this migration. To avoid this on self-hosted installations that have always used e.g. LDAP authentication, we skip resetting API keys on installations that don't have password authentication enabled. System administrators on installations that used to have email authentication enabled, but no longer do, should temporarily enable EmailAuthBackend before applying this migration. The migration also records which users had their passwords or API keys reset in the usual RealmAuditLog table.
2019-11-18 07:57:36 +01:00
if password == "":
# Never allow an empty password. This is defensive code;
# a user having password "" should only be possible
# through a bug somewhere else.
return None
auth: Move checks for password_auth_enabled earlier. This way, we don't attempt to evaluate whether the user's account is active (etc.) until after we've checked the backend is enabled. This won't change the result of actual auth, but feels more readable.
2017-11-21 21:39:56 +01:00
auth: Convert EmailAuthBackend to use new helper. This lets us delete some duplicate code, since common_get_active_user handles an account in the wrong subdomain for us. Also lets us delete the now-unused common_get_active_user_by_email.
2017-11-21 21:42:21 +01:00
user_profile = common_get_active_user(username, realm, return_data=return_data)
auth: Move checks for password_auth_enabled earlier. This way, we don't attempt to evaluate whether the user's account is active (etc.) until after we've checked the backend is enabled. This won't change the result of actual auth, but feels more readable.
2017-11-21 21:39:56 +01:00
if user_profile is None:
return None
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
if user_profile.check_password(password):
return user_profile
Add option for hosting each realm on its own subdomain. This adds support for running a Zulip production server with each realm on its own unique subdomain, e.g. https://realm_name.example.com. This patch includes a ton of important features: * Configuring the Zulip sesion middleware to issue cookier correctly for the subdomains case. * Throwing an error if the user tries to visit an invalid subdomain. * Runs a portion of the Casper tests with REALMS_HAVE_SUBDOMAINS enabled to test the subdomain signup process. * Updating our integrations documentation to refer to the current subdomain. * Enforces that users can only login to the subdomain of their realm (but does not restrict the API; that will be tightened in a future commit). Note that toggling settings.REALMS_HAVE_SUBDOMAINS on a live server is not supported without manual intervention (the main problem will be adding "subdomain" values for all the existing realms). [substantially modified by tabbott as part of merging]
2016-07-19 14:35:08 +02:00
return None
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
ldap: Allow users to login with just LDAP username. We had an inconsistent behavior when `LDAP_APPEND_DOMAIN` was set in that we allowed user to enter username instead of his email in the auth form but later the workflow failed due to a small bug. Fixes: #10917.
2019-01-09 17:58:39 +01:00
def is_valid_email(email: str) -> bool:
try:
validate_email(email)
except ValidationError:
return False
return True
ldap: Make email search config obligatory without LDAP_APPEND_DOMAIN. Having to account everywhere for both cases of having and not having email search configured makes things needlessly complicated. It's better to make the setting obligatory in configurations other than LDAP_APPEND_DOMAIN.
2019-11-05 02:24:18 +01:00
def check_ldap_config() -> None:
if not settings.LDAP_APPEND_DOMAIN:
# Email search needs to be configured in this case.
assert settings.AUTH_LDAP_USERNAME_ATTR and settings.AUTH_LDAP_REVERSE_EMAIL_SEARCH
ldap: Do a proper search for email in email_belongs_to_ldap. This fixes a collection of bugs surrounding LDAP configurations A and C (i.e. LDAP_APPEND_DOMAIN=None) with EmailAuthBackend also enabled. The core problem was that our desired security model in that setting of requiring LDAP authentication for accounts managed by LDAP was not implementable without a way to Now admins can configure an LDAPSearch query that will find if there are users in LDAP that have the email address and email_belongs_to_ldap() will take advantage of that - no longer returning True in response to all requests and thus blocking email backend authentication. In the documentation, we describe this as mandatory configuration for users (and likely will make it so soon in the code) because the failure modes for this not being configured are confusing. But making that change is pending work to improve the relevant error messages. Fixes #11715.
2019-10-05 01:02:46 +02:00
def find_ldap_users_by_email(email: str) -> Optional[List[_LDAPUser]]:
"""
Returns list of _LDAPUsers matching the email search,
or None if no matches are found.
"""
email_search = LDAPReverseEmailSearch(LDAPBackend(), email)
return email_search.search_for_users(should_populate=False)
user_settings: Prevent LDAP users from setting a Zulip password. Previously, if both EmailAuthBackend and LDAPAuthBackend were enabled, LDAP users could set a password using EmailAuthBackend and continue to use that password, even if their LDAP account was later deactivated. That configuration wasn't supported at all before, so this doesn't fix a pre-existing security issue, but now that we're making that a valid configuration, we need to cover this case.
2018-05-29 07:25:08 +02:00
def email_belongs_to_ldap(realm: Realm, email: str) -> bool:
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
"""Used to make determinations on whether a user's email address is
managed by LDAP. For environments using both LDAP and
Email+Password authentication, we do not allow EmailAuthBackend
authentication for email addresses managed by LDAP (to avoid a
security issue where one create separate credentials for an LDAP
user), and this function is used to enforce that rule.
"""
user_settings: Prevent LDAP users from setting a Zulip password. Previously, if both EmailAuthBackend and LDAPAuthBackend were enabled, LDAP users could set a password using EmailAuthBackend and continue to use that password, even if their LDAP account was later deactivated. That configuration wasn't supported at all before, so this doesn't fix a pre-existing security issue, but now that we're making that a valid configuration, we need to cover this case.
2018-05-29 07:25:08 +02:00
if not ldap_auth_enabled(realm):
return False
ldap: Make email search config obligatory without LDAP_APPEND_DOMAIN. Having to account everywhere for both cases of having and not having email search configured makes things needlessly complicated. It's better to make the setting obligatory in configurations other than LDAP_APPEND_DOMAIN.
2019-11-05 02:24:18 +01:00
check_ldap_config()
ldap: Do a proper search for email in email_belongs_to_ldap. This fixes a collection of bugs surrounding LDAP configurations A and C (i.e. LDAP_APPEND_DOMAIN=None) with EmailAuthBackend also enabled. The core problem was that our desired security model in that setting of requiring LDAP authentication for accounts managed by LDAP was not implementable without a way to Now admins can configure an LDAPSearch query that will find if there are users in LDAP that have the email address and email_belongs_to_ldap() will take advantage of that - no longer returning True in response to all requests and thus blocking email backend authentication. In the documentation, we describe this as mandatory configuration for users (and likely will make it so soon in the code) because the failure modes for this not being configured are confusing. But making that change is pending work to improve the relevant error messages. Fixes #11715.
2019-10-05 01:02:46 +02:00
if settings.LDAP_APPEND_DOMAIN:
# Check if the email ends with LDAP_APPEND_DOMAIN
return email.strip().lower().endswith("@" + settings.LDAP_APPEND_DOMAIN)
# If we don't have an LDAP domain, we have to do a lookup for the email.
if find_ldap_users_by_email(email):
return True
else:
return False
ldap: Improve logging. Our ldap integration is quite sensitive to misconfigurations, so more logging is better than less to help debug those issues. Despite the following docstring on ZulipLDAPException: "Since this inherits from _LDAPUser.AuthenticationFailed, these will be caught and logged at debug level inside django-auth-ldap's authenticate()" We weren't actually logging anything, because debug level messages were ignored due to our general logging settings. It is however desirable to log these errors, as they can prove useful in debugging configuration problems. The django_auth_ldap logger can get fairly spammy on debug level, so we delegate ldap logging to a separate file /var/log/zulip/ldap.log to avoid spamming server.log too much.
2019-12-27 23:03:00 +01:00
ldap_logger = logging.getLogger("zulip.ldap")
ldap auth: Reassure django_auth_ldap our auth-failed exceptions are normal. The main `authenticate` method in the django_auth_ldap package logs a message at `exception` level if it passes through an exception it wasn't expecting. Sensible practice, but we'd been passing through just such an exception for any kind of routine authentication failure. After we recently stopped suppressing an arbitrary subset of loggers with `disable_existing_loggers`, these started showing up noisily, including in tests. So, make our exceptions expected. Just like our own code, the upstream code raises exceptions of a particular type for routine auth failures, and catches them and just returns None. We make our type derive from that one, so as to just piggyback on that behavior. Fixes an issue reported in a comment to #6674.
2017-09-27 00:56:34 +02:00
class ZulipLDAPException(_LDAPUser.AuthenticationFailed):
ldap: Clarify outside_ldap_domain exception logic. The previous logic made it look like catching ZulipLDAPException on the authenticate() line was possible, but it isn't, because that exception is actually being handled inside django-auth-ldap's authenticate method.
2018-05-31 23:10:22 +02:00
"""Since this inherits from _LDAPUser.AuthenticationFailed, these will
be caught and logged at debug level inside django-auth-ldap's authenticate()"""
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
class ZulipLDAPExceptionNoMatchingLDAPUser(ZulipLDAPException):
pass
class ZulipLDAPExceptionOutsideDomain(ZulipLDAPExceptionNoMatchingLDAPUser):
auth: Improve interactions between LDAPAuthBackend and EmailAuthBackend. Previously, if you had LDAPAuthBackend enabled, we basically blocked any other auth backends from working at all, by requiring the user's login flow include verifying the user's LDAP password. We still want to enforce that in the case that the account email matches LDAP_APPEND_DOMAIN, but there's a reasonable corner case: Having effectively guest users from outside the LDAP domain. We don't want to allow creating a Zulip-level password for a user inside the LDAP domain, so we still verify the LDAP password in that flow, but if the email is allowed to register (due to invite or whatever) but is outside the LDAP domain for the organization, we allow it to create an account and set a password. For the moment, this solution only covers EmailAuthBackend. It's likely that just extending the list of other backends we check for in the new conditional on `email_auth_backend` would be correct, but we haven't done any testing for those cases, and with auth code paths, it's better to disallow than allow untested code paths. Fixes #9422.
2018-05-29 06:52:06 +02:00
pass
ldap: Show helpful message when realm is None.
2017-09-22 10:58:12 +02:00
class ZulipLDAPConfigurationError(Exception):
pass
ldap: Add support for automatic user deactivation/reactivation. As part of this, extend our documentation on synchronizing data from Active Directory.
2018-12-13 23:58:26 +01:00
LDAP_USER_ACCOUNT_CONTROL_DISABLED_MASK = 2
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
class ZulipLDAPAuthBackendBase(ZulipAuthMixin, LDAPBackend):
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
"""Common code between LDAP authentication (ZulipLDAPAuthBackend) and
using LDAP just to sync user data (ZulipLDAPUserPopulator).
To fully understand our LDAP backend, you may want to skim
django_auth_ldap/backend.py from the upstream django-auth-ldap
library. It's not a lot of code, and searching around in that
file makes the flow for LDAP authentication clear.
"""
python: Whitespace fixes from autopep8. Generated by autopep8, with the setup.cfg configuration from #14532. I’m not sure why pycodestyle didn’t already flag these. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:45:30 +02:00
auth: Add auth_name attribute for non external auth backends. This commit adds `name` attribute for the backends that do not have them. This is just a kind of prep commit in case if we want to use `self.logger.xxxx()` in the future which is dependent on the `name` attribute. But right now these logging calls aren't used anywhere in those backends.
2020-06-03 13:18:08 +02:00
name = "ldap"
fakeldap: Move fakeldap configuration into ZulipLDAPAuthBackendBase. This allows us to use this for testing the ZulipLDAPUserPopulator code as well.
2018-12-12 20:06:10 +01:00
def __init__(self) -> None:
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
# Used to initialize a fake LDAP directly for both manual
# and automated testing in a development environment where
# there is no actual LDAP server.
fakeldap: Move fakeldap configuration into ZulipLDAPAuthBackendBase. This allows us to use this for testing the ZulipLDAPUserPopulator code as well.
2018-12-12 20:06:10 +01:00
if settings.DEVELOPMENT and settings.FAKE_LDAP_MODE: # nocoverage
ldap: Extract `init_fakeldap()`.
2019-01-12 18:12:11 +01:00
init_fakeldap()
fakeldap: Move fakeldap configuration into ZulipLDAPAuthBackendBase. This allows us to use this for testing the ZulipLDAPUserPopulator code as well.
2018-12-12 20:06:10 +01:00
ldap: Make email search config obligatory without LDAP_APPEND_DOMAIN. Having to account everywhere for both cases of having and not having email search configured makes things needlessly complicated. It's better to make the setting obligatory in configurations other than LDAP_APPEND_DOMAIN.
2019-11-05 02:24:18 +01:00
check_ldap_config()
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
# Disable django-auth-ldap's permissions functions -- we don't use
# the standard Django user/group permissions system because they
# are prone to performance issues.
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def has_perm(self, user: Optional[UserProfile], perm: Any, obj: Any=None) -> bool:
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
return False
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def has_module_perms(self, user: Optional[UserProfile], app_label: Optional[str]) -> bool:
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
return False
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def get_all_permissions(self, user: Optional[UserProfile], obj: Any=None) -> Set[Any]:
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
return set()
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def get_group_permissions(self, user: Optional[UserProfile], obj: Any=None) -> Set[Any]:
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
return set()
zproject: Change use of typing.Text to str.
2018-05-10 18:53:55 +02:00
def django_to_ldap_username(self, username: str) -> str:
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
"""
Translates django username (user_profile.email or whatever the user typed in the login
field when authenticating via the ldap backend) into ldap username.
Guarantees that the username it returns actually has an entry in the ldap directory.
Raises ZulipLDAPExceptionNoMatchingLDAPUser if that's not possible.
"""
result = username
Improve LDAP_APPEND_DOMAIN default. The documentation suggests the default is None; this change makes that true. Also make the actual code robust to this being set to "" instead.
2015-10-13 22:57:38 +02:00
if settings.LDAP_APPEND_DOMAIN:
ldap: Allow users to login with just LDAP username. We had an inconsistent behavior when `LDAP_APPEND_DOMAIN` was set in that we allowed user to enter username instead of his email in the auth form but later the workflow failed due to a small bug. Fixes: #10917.
2019-01-09 17:58:39 +01:00
if is_valid_email(username):
if not username.endswith("@" + settings.LDAP_APPEND_DOMAIN):
python: Convert percent formatting to Python 3.6 f-strings. Generated by pyupgrade --py36-plus. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-10 06:41:04 +02:00
raise ZulipLDAPExceptionOutsideDomain(f"Email {username} does not match LDAP domain {settings.LDAP_APPEND_DOMAIN}.")
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
result = email_to_username(username)
ldap: Make email search config obligatory without LDAP_APPEND_DOMAIN. Having to account everywhere for both cases of having and not having email search configured makes things needlessly complicated. It's better to make the setting obligatory in configurations other than LDAP_APPEND_DOMAIN.
2019-11-05 02:24:18 +01:00
else:
ldap: Use email search in django_to_ldap_username. With this, django_to_ldap_username can take an email and find the ldap username of the ldap user who has this email - if email search is configured. This allows successful authenticate() with ldap email and ldap password, instead of ldap username. This is especially useful because when a user wants to fetch their api key, the server attempts authenticate with user_profile.email - and this used to fail if the user was an ldap user (because the ldap username was required to authenticate succesfully). See issue #9277.
2019-10-05 03:54:48 +02:00
# We can use find_ldap_users_by_email
if is_valid_email(username):
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
email_search_result = find_ldap_users_by_email(username)
if email_search_result is None:
result = username
elif len(email_search_result) == 1:
return email_search_result[0]._username
elif len(email_search_result) > 1:
ldap: Use email search in django_to_ldap_username. With this, django_to_ldap_username can take an email and find the ldap username of the ldap user who has this email - if email search is configured. This allows successful authenticate() with ldap email and ldap password, instead of ldap username. This is especially useful because when a user wants to fetch their api key, the server attempts authenticate with user_profile.email - and this used to fail if the user was an ldap user (because the ldap username was required to authenticate succesfully). See issue #9277.
2019-10-05 03:54:48 +02:00
# This is possible, but strange, so worth logging a warning about.
# We can't translate the email to a unique username,
# so we don't do anything else here.
logging: Pass format arguments to logging. https://docs.python.org/3/howto/logging.html#optimization Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-05-02 08:44:14 +02:00
logging.warning("Multiple users with email %s found in LDAP.", username)
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
result = username
ldap: Use email search in django_to_ldap_username. With this, django_to_ldap_username can take an email and find the ldap username of the ldap user who has this email - if email search is configured. This allows successful authenticate() with ldap email and ldap password, instead of ldap username. This is especially useful because when a user wants to fetch their api key, the server attempts authenticate with user_profile.email - and this used to fail if the user was an ldap user (because the ldap username was required to authenticate succesfully). See issue #9277.
2019-10-05 03:54:48 +02:00
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
if _LDAPUser(self, result).attrs is None:
# Check that there actually is an ldap entry matching the result username
# we want to return. Otherwise, raise an exception.
ldap: Improve logging. Our ldap integration is quite sensitive to misconfigurations, so more logging is better than less to help debug those issues. Despite the following docstring on ZulipLDAPException: "Since this inherits from _LDAPUser.AuthenticationFailed, these will be caught and logged at debug level inside django-auth-ldap's authenticate()" We weren't actually logging anything, because debug level messages were ignored due to our general logging settings. It is however desirable to log these errors, as they can prove useful in debugging configuration problems. The django_auth_ldap logger can get fairly spammy on debug level, so we delegate ldap logging to a separate file /var/log/zulip/ldap.log to avoid spamming server.log too much.
2019-12-27 23:03:00 +01:00
error_message = "No ldap user matching django_to_ldap_username result: {}. Input username: {}"
raise ZulipLDAPExceptionNoMatchingLDAPUser(
python: Use trailing commas consistently. Automatically generated by the following script, based on the output of lint with flake8-comma: import re import sys last_filename = None last_row = None lines = [] for msg in sys.stdin: m = re.match( r"\x1b\[35mflake8 \|\x1b\[0m \x1b\[1;31m(.+):(\d+):(\d+): (\w+)", msg ) if m: filename, row_str, col_str, err = m.groups() row, col = int(row_str), int(col_str) if filename == last_filename: assert last_row != row else: if last_filename is not None: with open(last_filename, "w") as f: f.writelines(lines) with open(filename) as f: lines = f.readlines() last_filename = filename last_row = row line = lines[row - 1] if err in ["C812", "C815"]: lines[row - 1] = line[: col - 1] + "," + line[col - 1 :] elif err in ["C819"]: assert line[col - 2] == "," lines[row - 1] = line[: col - 2] + line[col - 1 :].lstrip(" ") if last_filename is not None: with open(last_filename, "w") as f: f.writelines(lines) Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-10 05:23:40 +02:00
error_message.format(result, username),
ldap: Improve logging. Our ldap integration is quite sensitive to misconfigurations, so more logging is better than less to help debug those issues. Despite the following docstring on ZulipLDAPException: "Since this inherits from _LDAPUser.AuthenticationFailed, these will be caught and logged at debug level inside django-auth-ldap's authenticate()" We weren't actually logging anything, because debug level messages were ignored due to our general logging settings. It is however desirable to log these errors, as they can prove useful in debugging configuration problems. The django_auth_ldap logger can get fairly spammy on debug level, so we delegate ldap logging to a separate file /var/log/zulip/ldap.log to avoid spamming server.log too much.
2019-12-27 23:03:00 +01:00
)
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
return result
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
ldap: Extract ldap user -> django username mapping logic to a function. Fixes #11878 Instead of a confusing mix of django_auth_backed applying ldap_to_django_username in its internals for one part of the translation, and then custom logic for grabbing it from the email attribute of the ldapuser in ZulipLDAPAuthBackend.get_or_build_user for the second part of the translation, we put all the logic in a single function user_email_from_ldapuser which will be used by get_or_build of both ZulipLDAPUserPopulator and ZulipLDAPAuthBackend. This, building on the previous commits with the email search feature, fixes the ldap sync bug from issue #11878. If we can get upstream django-auth-ldap to merge https://github.com/django-auth-ldap/django-auth-ldap/pull/154, we'll be able to go back to using the version of ldap_to_django_username that accepts a _LDAPUser object.
2019-10-06 00:32:25 +02:00
def user_email_from_ldapuser(self, username: str, ldap_user: _LDAPUser) -> str:
if hasattr(ldap_user, '_username'):
# In tests, we sometimes pass a simplified _LDAPUser without _username attr,
# and with the intended username in the username argument.
username = ldap_user._username
Improve LDAP_APPEND_DOMAIN default. The documentation suggests the default is None; this change makes that true. Also make the actual code robust to this being set to "" instead.
2015-10-13 22:57:38 +02:00
if settings.LDAP_APPEND_DOMAIN:
Correctly concatenate local part with domain in LDAP backend. (imported from commit 951123e2e0ed52a11dc8b5ce3aeff2c1d4f5e816)
2013-11-25 17:57:30 +01:00
return "@".join((username, settings.LDAP_APPEND_DOMAIN))
ldap: Extract ldap user -> django username mapping logic to a function. Fixes #11878 Instead of a confusing mix of django_auth_backed applying ldap_to_django_username in its internals for one part of the translation, and then custom logic for grabbing it from the email attribute of the ldapuser in ZulipLDAPAuthBackend.get_or_build_user for the second part of the translation, we put all the logic in a single function user_email_from_ldapuser which will be used by get_or_build of both ZulipLDAPUserPopulator and ZulipLDAPAuthBackend. This, building on the previous commits with the email search feature, fixes the ldap sync bug from issue #11878. If we can get upstream django-auth-ldap to merge https://github.com/django-auth-ldap/django-auth-ldap/pull/154, we'll be able to go back to using the version of ldap_to_django_username that accepts a _LDAPUser object.
2019-10-06 00:32:25 +02:00
if settings.LDAP_EMAIL_ATTR is not None:
# Get email from ldap attributes.
if settings.LDAP_EMAIL_ATTR not in ldap_user.attrs:
python: Convert percent formatting to Python 3.6 f-strings. Generated by pyupgrade --py36-plus. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-10 06:41:04 +02:00
raise ZulipLDAPException(f"LDAP user doesn't have the needed {settings.LDAP_EMAIL_ATTR} attribute")
ldap: Extract ldap user -> django username mapping logic to a function. Fixes #11878 Instead of a confusing mix of django_auth_backed applying ldap_to_django_username in its internals for one part of the translation, and then custom logic for grabbing it from the email attribute of the ldapuser in ZulipLDAPAuthBackend.get_or_build_user for the second part of the translation, we put all the logic in a single function user_email_from_ldapuser which will be used by get_or_build of both ZulipLDAPUserPopulator and ZulipLDAPAuthBackend. This, building on the previous commits with the email search feature, fixes the ldap sync bug from issue #11878. If we can get upstream django-auth-ldap to merge https://github.com/django-auth-ldap/django-auth-ldap/pull/154, we'll be able to go back to using the version of ldap_to_django_username that accepts a _LDAPUser object.
2019-10-06 00:32:25 +02:00
else:
return ldap_user.attrs[settings.LDAP_EMAIL_ATTR][0]
return username
def ldap_to_django_username(self, username: str) -> str:
"""
This is called inside django_auth_ldap with only one role:
to convert _LDAPUser._username to django username (so in Zulip, the email)
and pass that as "username" argument to get_or_build_user(username, ldapuser).
In many cases, the email is stored in the _LDAPUser's attributes, so it can't be
constructed just from the username. We choose to do nothing in this function,
and our overrides of get_or_build_user() obtain that username from the _LDAPUser
object on their own, through our user_email_from_ldapuser function.
"""
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
return username
ldap: Add support for syncing avatar images from LDAP. This should make life a lot more convenient for organizations that use the LDAP integration and have their avatars in LDAP already. This hasn't been end-to-end tested against LDAP yet, so there may be some minor revisions, but fundamentally, it works, has automated tests, and should be easy to maintain. Fixes #286.
2018-12-12 19:46:37 +01:00
def sync_avatar_from_ldap(self, user: UserProfile, ldap_user: _LDAPUser) -> None:
if 'avatar' in settings.AUTH_LDAP_USER_ATTR_MAP:
# We do local imports here to avoid import loops
from io import BytesIO
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
from zerver.lib.actions import do_change_avatar_fields
from zerver.lib.upload import upload_avatar_image
ldap: Add support for syncing avatar images from LDAP. This should make life a lot more convenient for organizations that use the LDAP integration and have their avatars in LDAP already. This hasn't been end-to-end tested against LDAP yet, so there may be some minor revisions, but fundamentally, it works, has automated tests, and should be easy to maintain. Fixes #286.
2018-12-12 19:46:37 +01:00
avatar_attr_name = settings.AUTH_LDAP_USER_ATTR_MAP['avatar']
ldap: Don't crash if some users don't have a thumbnailPhoto. It's normal for an LDAP database to have some users with a thumbnailPhoto field set and others without one, so we should support this configuration.
2018-12-30 01:32:16 +01:00
if avatar_attr_name not in ldap_user.attrs: # nocoverage
# If this specific user doesn't have e.g. a
# thumbnailPhoto set in LDAP, just skip that user.
return
ldap: Fix avatar sync not working with the S3 backend. This fixes an issue that caused LDAP synchronization to fail for avatars. The problem occurred due to the lack of a 'name' attribute on the BytesIO object that we pass to the upload backend (which is only used in the S3 backend for computing Content-Type). Fixes #12411.
2019-06-07 23:36:19 +02:00
ldap: Fix LDAP avatar synchronization to check if avatar has changed. When "manage.py sync_ldap_user_data" is run, user avatars are now only updated if they have changed in LDAP. Fixes #12381.
2019-06-28 00:10:58 +02:00
ldap_avatar = ldap_user.attrs[avatar_attr_name][0]
avatar_changed = is_avatar_new(ldap_avatar, user)
if not avatar_changed:
# Don't do work to replace the avatar with itself.
return
io = BytesIO(ldap_avatar)
ldap: Fix avatar sync not working with the S3 backend. This fixes an issue that caused LDAP synchronization to fail for avatars. The problem occurred due to the lack of a 'name' attribute on the BytesIO object that we pass to the upload backend (which is only used in the S3 backend for computing Content-Type). Fixes #12411.
2019-06-07 23:36:19 +02:00
# Structurally, to make the S3 backend happy, we need to
# provide a Content-Type; since that isn't specified in
# any metadata, we auto-detect it.
content_type = magic.from_buffer(copy.deepcopy(io).read()[0:1024], mime=True)
if content_type.startswith("image/"):
upload_avatar_image(io, user, user, content_type=content_type)
audit_log: Log acting_user in do_change_avatar_fields.
2020-06-29 12:47:44 +02:00
do_change_avatar_fields(user, UserProfile.AVATAR_FROM_USER, acting_user=None)
ldap: Fix LDAP avatar synchronization to check if avatar has changed. When "manage.py sync_ldap_user_data" is run, user avatars are now only updated if they have changed in LDAP. Fixes #12381.
2019-06-28 00:10:58 +02:00
# Update avatar hash.
user.avatar_hash = user_avatar_content_hash(ldap_avatar)
user.save(update_fields=["avatar_hash"])
ldap: Fix avatar sync not working with the S3 backend. This fixes an issue that caused LDAP synchronization to fail for avatars. The problem occurred due to the lack of a 'name' attribute on the BytesIO object that we pass to the upload backend (which is only used in the S3 backend for computing Content-Type). Fixes #12411.
2019-06-07 23:36:19 +02:00
else:
logging: Pass format arguments to logging. https://docs.python.org/3/howto/logging.html#optimization Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-05-02 08:44:14 +02:00
logging.warning("Could not parse %s field for user %s",
avatar_attr_name, user.id)
ldap: Add support for syncing avatar images from LDAP. This should make life a lot more convenient for organizations that use the LDAP integration and have their avatars in LDAP already. This hasn't been end-to-end tested against LDAP yet, so there may be some minor revisions, but fundamentally, it works, has automated tests, and should be easy to maintain. Fixes #286.
2018-12-12 19:46:37 +01:00
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
def is_account_control_disabled_user(self, ldap_user: _LDAPUser) -> bool:
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
"""Implements the userAccountControl check for whether a user has been
disabled in an Active Directory server being integrated with
Zulip via LDAP."""
ldap: Add support for automatic user deactivation/reactivation. As part of this, extend our documentation on synchronizing data from Active Directory.
2018-12-13 23:58:26 +01:00
account_control_value = ldap_user.attrs[settings.AUTH_LDAP_USER_ATTR_MAP['userAccountControl']][0]
ldap: Cast account_control_values to int. This value will usually apparently come through the LDAP API as a string, apparently.
2018-12-30 01:33:11 +01:00
ldap_disabled = bool(int(account_control_value) & LDAP_USER_ACCOUNT_CONTROL_DISABLED_MASK)
ldap: Add support for automatic user deactivation/reactivation. As part of this, extend our documentation on synchronizing data from Active Directory.
2018-12-13 23:58:26 +01:00
return ldap_disabled
auth: Convert `get_mapped_name()` in LDAP backend to a class method.
2019-01-16 09:06:11 +01:00
@classmethod
auth: Remove short_name from LDAP API. As best I can tell, we fetched this field and then ignored it, so unlike the last few commits, this is more a code cleanup than a functional change.
2020-07-17 20:22:10 +02:00
def get_mapped_name(cls, ldap_user: _LDAPUser) -> str:
"""Constructs the user's Zulip full_name from the LDAP data"""
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
if "full_name" in settings.AUTH_LDAP_USER_ATTR_MAP:
full_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["full_name"]
auth: Remove short_name from LDAP API. As best I can tell, we fetched this field and then ignored it, so unlike the last few commits, this is more a code cleanup than a functional change.
2020-07-17 20:22:10 +02:00
full_name = ldap_user.attrs[full_name_attr][0]
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
elif all(key in settings.AUTH_LDAP_USER_ATTR_MAP for key in {"first_name", "last_name"}):
first_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["first_name"]
last_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["last_name"]
auth: Remove short_name from LDAP API. As best I can tell, we fetched this field and then ignored it, so unlike the last few commits, this is more a code cleanup than a functional change.
2020-07-17 20:22:10 +02:00
first_name = ldap_user.attrs[first_name_attr][0]
last_name = ldap_user.attrs[last_name_attr][0]
full_name = f"{first_name} {last_name}"
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
else:
raise ZulipLDAPException("Missing required mapping for user's full name")
auth: Remove short_name from LDAP API. As best I can tell, we fetched this field and then ignored it, so unlike the last few commits, this is more a code cleanup than a functional change.
2020-07-17 20:22:10 +02:00
return full_name
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
def sync_full_name_from_ldap(self, user_profile: UserProfile,
auth: Add tests for `ZulipLDAPUserPopulator`. Fixes: #11041.
2019-01-12 17:15:14 +01:00
ldap_user: _LDAPUser) -> None:
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
from zerver.lib.actions import do_change_full_name
auth: Remove short_name from LDAP API. As best I can tell, we fetched this field and then ignored it, so unlike the last few commits, this is more a code cleanup than a functional change.
2020-07-17 20:22:10 +02:00
full_name = self.get_mapped_name(ldap_user)
ldap: Add support for two field mapping of full name. Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2019-01-10 18:25:34 +01:00
if full_name != user_profile.full_name:
try:
full_name = check_full_name(full_name)
except JsonableError as e:
raise ZulipLDAPException(e.msg)
do_change_full_name(user_profile, full_name, None)
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
def sync_custom_profile_fields_from_ldap(self, user_profile: UserProfile,
ldap_user: _LDAPUser) -> None:
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
values_by_var_name: Dict[str, Union[int, str, List[int]]] = {}
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
for attr, ldap_attr in settings.AUTH_LDAP_USER_ATTR_MAP.items():
if not attr.startswith('custom_profile_field__'):
continue
var_name = attr.split('custom_profile_field__')[1]
ldap: Continue syncing other fields even if a field is missing. Earlier the behavior was to raise an exception thereby stopping the whole sync. Now we log an error message and skip the field. Also fixes the `query_ldap` command to report missing fields without error. Fixes: #11780.
2019-03-05 09:40:40 +01:00
try:
value = ldap_user.attrs[ldap_attr][0]
except KeyError:
# If this user doesn't have this field set then ignore this
# field and continue syncing other fields. `django-auth-ldap`
# automatically logs error about missing field.
continue
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
values_by_var_name[var_name] = value
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
fields_by_var_name: Dict[str, CustomProfileField] = {}
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
custom_profile_fields = custom_profile_fields_for_realm(user_profile.realm.id)
for field in custom_profile_fields:
var_name = '_'.join(field.name.lower().split(' '))
fields_by_var_name[var_name] = field
existing_values = {}
for data in user_profile.profile_data:
mypy: Remove type ignore by defining ProfileDataElement using TypedDict.
2019-08-04 02:00:19 +02:00
var_name = '_'.join(data['name'].lower().split(' '))
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
existing_values[var_name] = data['value']
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
profile_data: List[Dict[str, Union[int, str, List[int]]]] = []
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
for var_name, value in values_by_var_name.items():
try:
field = fields_by_var_name[var_name]
except KeyError:
python: Convert percent formatting to Python 3.6 f-strings. Generated by pyupgrade --py36-plus. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-10 06:41:04 +02:00
raise ZulipLDAPException(f'Custom profile field with name {var_name} not found.')
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
if existing_values.get(var_name) == value:
continue
request: Improve validator type so mypy can check it against REQ. Old: a validator returns None on success and returns an error string on error. New: a validator returns the validated value on success and raises ValidationError on error. This allows mypy to catch mismatches between the annotated type of a REQ parameter and the type that the validator actually validates. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-21 02:36:20 +02:00
try:
validate_user_custom_profile_field(user_profile.realm.id, field, value)
except ValidationError as error:
raise ZulipLDAPException(f'Invalid data for {var_name} field: {error.message}')
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
profile_data.append({
'id': field.id,
'value': value,
})
do_update_user_custom_profile_data: Rename to ..._if_changed. This adds clarity to the fact that the function no longer does anything if the field values haven't changed.
2019-10-01 04:22:50 +02:00
do_update_user_custom_profile_data_if_changed(user_profile, profile_data)
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):
ldap: Show helpful message when realm is None.
2017-09-22 10:58:12 +02:00
REALM_IS_NONE_ERROR = 1
auth: Rate limit username+password authenticate() calls. This applies rate limiting (through a decorator) of authenticate() functions in the Email and LDAP backends - because those are the ones where we check user's password. The limiting is based on the username that the authentication is attempted for - more than X attempts in Y minutes to a username is not permitted. If the limit is exceeded, RateLimited exception will be raised - this can be either handled in a custom way by the code that calls authenticate(), or it will be handled by RateLimitMiddleware and return a json_error as the response.
2019-08-01 15:09:27 +02:00
@rate_limit_auth
auth: Give all backend authenticate() optional request argument. This is required for our migration to Django 2.2. authenticate() definitions need to have that starting with Django 2.1. rate_limit_auth needs to be adjusted to expect the request in the first positional argument instead of a kwarg.
2020-02-04 14:04:10 +01:00
def authenticate(self, request: Optional[HttpRequest]=None, *,
username: str, password: str, realm: Realm,
registration: Populate LDAP users using invitation information. Fixes: #11212.
2019-01-16 09:59:01 +01:00
prereg_user: Optional[PreregistrationUser]=None,
backends: Convert authenticate methods to modern type annotations.
2017-11-21 20:47:26 +01:00
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
self._realm = realm
registration: Populate LDAP users using invitation information. Fixes: #11212.
2019-01-16 09:59:01 +01:00
self._prereg_user = prereg_user
auth: Move LDAP check for whether backend is enabled earlier. The previous logic felt fairly convoluted.
2017-11-21 21:45:32 +01:00
if not ldap_auth_enabled(realm):
return None
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
try:
ldap: Use a cleaner super().authenticate() call in ZulipLDAPAuthBackend.
2019-12-27 17:17:56 +01:00
# We want to pass the user's LDAP username into
ldap: Use email search in django_to_ldap_username. With this, django_to_ldap_username can take an email and find the ldap username of the ldap user who has this email - if email search is configured. This allows successful authenticate() with ldap email and ldap password, instead of ldap username. This is especially useful because when a user wants to fetch their api key, the server attempts authenticate with user_profile.email - and this used to fail if the user was an ldap user (because the ldap username was required to authenticate succesfully). See issue #9277.
2019-10-05 03:54:48 +02:00
# authenticate() below. If an email address was entered
# in the login form, we need to use
# django_to_ldap_username to translate the email address
# to the user's LDAP username before calling the
# django-auth-ldap authenticate().
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
username = self.django_to_ldap_username(username)
ldap: Improve logging. Our ldap integration is quite sensitive to misconfigurations, so more logging is better than less to help debug those issues. Despite the following docstring on ZulipLDAPException: "Since this inherits from _LDAPUser.AuthenticationFailed, these will be caught and logged at debug level inside django-auth-ldap's authenticate()" We weren't actually logging anything, because debug level messages were ignored due to our general logging settings. It is however desirable to log these errors, as they can prove useful in debugging configuration problems. The django_auth_ldap logger can get fairly spammy on debug level, so we delegate ldap logging to a separate file /var/log/zulip/ldap.log to avoid spamming server.log too much.
2019-12-27 23:03:00 +01:00
except ZulipLDAPExceptionNoMatchingLDAPUser as e:
logging: Pass format arguments to unconventionally-named loggers too. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-05-02 20:57:12 +02:00
ldap_logger.debug("%s: %s", self.__class__.__name__, e)
mypy: Add Optional & check in zproject/backends.py; remove from mypy.ini.
2018-10-27 03:19:49 +02:00
if return_data is not None:
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
return_data['no_matching_ldap_user'] = True
auth: Improve interactions between LDAPAuthBackend and EmailAuthBackend. Previously, if you had LDAPAuthBackend enabled, we basically blocked any other auth backends from working at all, by requiring the user's login flow include verifying the user's LDAP password. We still want to enforce that in the case that the account email matches LDAP_APPEND_DOMAIN, but there's a reasonable corner case: Having effectively guest users from outside the LDAP domain. We don't want to allow creating a Zulip-level password for a user inside the LDAP domain, so we still verify the LDAP password in that flow, but if the email is allowed to register (due to invite or whatever) but is outside the LDAP domain for the organization, we allow it to create an account and set a password. For the moment, this solution only covers EmailAuthBackend. It's likely that just extending the list of other backends we check for in the new conditional on `email_auth_backend` would be correct, but we haven't done any testing for those cases, and with auth code paths, it's better to disallow than allow untested code paths. Fixes #9422.
2018-05-29 06:52:06 +02:00
return None
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
# Call into (ultimately) the django-auth-ldap authenticate
# function. This will check the username/password pair
# against the LDAP database, and assuming those are correct,
# end up calling `self.get_or_build_user` with the
# authenticated user's data from LDAP.
auth: Give all backend authenticate() optional request argument. This is required for our migration to Django 2.2. authenticate() definitions need to have that starting with Django 2.1. rate_limit_auth needs to be adjusted to expect the request in the first positional argument instead of a kwarg.
2020-02-04 14:04:10 +01:00
return super().authenticate(request=request, username=username, password=password)
ldap: Clarify outside_ldap_domain exception logic. The previous logic made it look like catching ZulipLDAPException on the authenticate() line was possible, but it isn't, because that exception is actually being handled inside django-auth-ldap's authenticate method.
2018-05-31 23:10:22 +02:00
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def get_or_build_user(self, username: str, ldap_user: _LDAPUser) -> Tuple[UserProfile, bool]:
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
"""The main function of our authentication backend extension of
django-auth-ldap. When this is called (from `authenticate`),
django-auth-ldap will already have verified that the provided
username and password match those in the LDAP database.
This function's responsibility is to check (1) whether the
email address for this user obtained from LDAP has an active
account in this Zulip realm. If so, it will log them in.
Otherwise, to provide a seamless Single Sign-On experience
with LDAP, this function can automatically create a new Zulip
user account in the realm (assuming the realm is configured to
allow that email address to sign up).
"""
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
return_data: Dict[str, Any] = {}
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
ldap: Extract ldap user -> django username mapping logic to a function. Fixes #11878 Instead of a confusing mix of django_auth_backed applying ldap_to_django_username in its internals for one part of the translation, and then custom logic for grabbing it from the email attribute of the ldapuser in ZulipLDAPAuthBackend.get_or_build_user for the second part of the translation, we put all the logic in a single function user_email_from_ldapuser which will be used by get_or_build of both ZulipLDAPUserPopulator and ZulipLDAPAuthBackend. This, building on the previous commits with the email search feature, fixes the ldap sync bug from issue #11878. If we can get upstream django-auth-ldap to merge https://github.com/django-auth-ldap/django-auth-ldap/pull/154, we'll be able to go back to using the version of ldap_to_django_username that accepts a _LDAPUser object.
2019-10-06 00:32:25 +02:00
username = self.user_email_from_ldapuser(username, ldap_user)
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
ldap: Add support for automatic user deactivation/reactivation. As part of this, extend our documentation on synchronizing data from Active Directory.
2018-12-13 23:58:26 +01:00
if 'userAccountControl' in settings.AUTH_LDAP_USER_ATTR_MAP: # nocoverage
ldap_disabled = self.is_account_control_disabled_user(ldap_user)
if ldap_disabled:
# Treat disabled users as deactivated in Zulip.
return_data["inactive_user"] = True
raise ZulipLDAPException("User has been deactivated")
ldap: Use new helper for checking realm status. We intentionally don't fix the indentation that now feels ridiculous below in order to make it easier to see what's actually changing in this commit.
2017-11-21 21:52:34 +01:00
user_profile = common_get_active_user(username, self._realm, return_data)
ldap: Use simpler ordering for handling successful auth. common_get_active_user returns None if it finds any problems.
2017-11-21 21:57:23 +01:00
if user_profile is not None:
# An existing user, successfully authed; return it.
return user_profile, False
ldap: Use new helper for checking realm status. We intentionally don't fix the indentation that now feels ridiculous below in order to make it easier to see what's actually changing in this commit.
2017-11-21 21:52:34 +01:00
if return_data.get("inactive_realm"):
ldap: Simplify logic for user creation. self._realm can't be None here with the new logic in authenticate().
2017-11-18 01:13:35 +01:00
# This happens if there is a user account in a deactivated realm
ldap: Use new helper for checking realm status. We intentionally don't fix the indentation that now feels ridiculous below in order to make it easier to see what's actually changing in this commit.
2017-11-21 21:52:34 +01:00
raise ZulipLDAPException("Realm has been deactivated")
if return_data.get("inactive_user"):
ldap: Fix the error message for deactivated users.
2017-11-18 01:07:20 +01:00
raise ZulipLDAPException("User has been deactivated")
auth: Remove `invalid_subdomain` restriction from LDAP backend. Fixes: #11692.
2019-03-04 13:16:00 +01:00
# An invalid_subdomain `return_data` value here is ignored,
# since that just means we're trying to create an account in a
# second realm on the server (`ldap_auth_enabled(realm)` would
# have been false if this user wasn't meant to have an account
# in this second realm).
ldap: Remove some unnecessary indentation. We created this redundant pair of conditionals in a preceding commit, in order to match the indentation of an `except` block so as to slice the diffs extra finely as we're refactoring auth code.
2017-11-18 01:12:05 +01:00
if self._realm.deactivated:
ldap: Simplify logic for user creation. self._realm can't be None here with the new logic in authenticate().
2017-11-18 01:13:35 +01:00
# This happens if no account exists, but the realm is
# deactivated, so we shouldn't create a new user account
ldap: Remove some unnecessary indentation. We created this redundant pair of conditionals in a preceding commit, in order to match the indentation of an `except` block so as to slice the diffs extra finely as we're refactoring auth code.
2017-11-18 01:12:05 +01:00
raise ZulipLDAPException("Realm has been deactivated")
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
# Makes sure that email domain hasn't be restricted for this
# realm. The main thing here is email_allowed_for_realm; but
refactor: Rename validate_email_for_realm. Now called: validate_email_not_already_in_realm We have a separate validation function that makes sure that the email fits into a realm's domain scheme, and we want to avoid naming confusion here.
2020-03-02 13:24:50 +01:00
# we also call validate_email_not_already_in_realm just for consistency,
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
# even though its checks were already done above.
try:
email_allowed_for_realm(username, self._realm)
refactor: Rename validate_email_for_realm. Now called: validate_email_not_already_in_realm We have a separate validation function that makes sure that the email fits into a realm's domain scheme, and we want to avoid naming confusion here.
2020-03-02 13:24:50 +01:00
validate_email_not_already_in_realm(self._realm, username)
ldap: Ensure email is valid for realm before registering. Previously, the LDAP authentication model ignored the realm-level settings for who can join a realm. This was sort of reasonable at the time, because the original LDAP auth was an SSO solution that didn't allow multiple realms, and so one could fully configure authentication settings on the LDAP side. But now that we allow multiple realms with the LDAP backend, one could easily imagine wanting different restrictions on them, and so it makes sense to add this enforcement.
2019-03-10 08:57:19 +01:00
except DomainNotAllowedForRealmError:
raise ZulipLDAPException("This email domain isn't allowed in this organization.")
except (DisposableEmailError, EmailContainsPlusError):
raise ZulipLDAPException("Email validation failed.")
ldap: Simplify logic for user creation. self._realm can't be None here with the new logic in authenticate().
2017-11-18 01:13:35 +01:00
# We have valid LDAP credentials; time to create an account.
auth: Remove short_name from LDAP API. As best I can tell, we fetched this field and then ignored it, so unlike the last few commits, this is more a code cleanup than a functional change.
2020-07-17 20:22:10 +02:00
full_name = self.get_mapped_name(ldap_user)
ldap: Remove some unnecessary indentation. We created this redundant pair of conditionals in a preceding commit, in order to match the indentation of an `except` block so as to slice the diffs extra finely as we're refactoring auth code.
2017-11-18 01:12:05 +01:00
try:
full_name = check_full_name(full_name)
except JsonableError as e:
raise ZulipLDAPException(e.msg)
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
opts: Dict[str, Any] = {}
registration: Populate LDAP users using invitation information. Fixes: #11212.
2019-01-16 09:59:01 +01:00
if self._prereg_user:
invited_as = self._prereg_user.invited_as
ldap: Fix realm_creation=True registration flow. When creating realm with the ldap backend, the registration flow didn't properly handle some things - the user wouldn't be set as realm admin, initial subscriptions and messages weren't created, and the redirect wasn't happening properly in the case of subdomains.
2019-11-07 05:13:08 +01:00
realm_creation = self._prereg_user.realm_creation
registration: Populate LDAP users using invitation information. Fixes: #11212.
2019-01-16 09:59:01 +01:00
opts['prereg_user'] = self._prereg_user
users: Modify do_create_user and create_user to accept role. We change do_create_user and create_user to accept role as a parameter instead of 'is_realm_admin' and 'is_guest'. These changes are done to minimize data conversions between role and boolean fields.
2020-06-03 01:11:36 +02:00
opts['role'] = get_role_for_new_user(invited_as, realm_creation)
ldap: Fix realm_creation=True registration flow. When creating realm with the ldap backend, the registration flow didn't properly handle some things - the user wouldn't be set as realm admin, initial subscriptions and messages weren't created, and the redirect wasn't happening properly in the case of subdomains.
2019-11-07 05:13:08 +01:00
opts['realm_creation'] = realm_creation
default stream groups: Fix buggy LDAP behavior. With LDAP authentication, we don't currently have a good way to support the default stream groups feature. The old behavior was just to assume a user select every default stream group, which seems wrong; since we didn't prompt the user about these, we should just ignore the feature.
2020-01-14 23:40:17 +01:00
# TODO: Ideally, we should add a mechanism for the user
# entering which default stream groups they've selected in
# the LDAP flow.
opts['default_stream_groups'] = []
registration: Populate LDAP users using invitation information. Fixes: #11212.
2019-01-16 09:59:01 +01:00
database: Remove short_name from UserProfile. A few major themes here: - We remove short_name from UserProfile and add the appropriate migration. - We remove short_name from various cache-related lists of fields. - We allow import tools to continue to write short_name to their export files, and then we simply ignore the field at import time. - We change functions like do_create_user, create_user_profile, etc. - We keep short_name in the /json/bots API. (It actually gets turned into an email.) - We don't modify our LDAP code much here.
2020-07-16 14:10:43 +02:00
user_profile = do_create_user(username, None, self._realm, full_name, acting_user=None, **opts)
ldap: Add support for syncing avatar images from LDAP. This should make life a lot more convenient for organizations that use the LDAP integration and have their avatars in LDAP already. This hasn't been end-to-end tested against LDAP yet, so there may be some minor revisions, but fundamentally, it works, has automated tests, and should be easy to maintain. Fixes #286.
2018-12-12 19:46:37 +01:00
self.sync_avatar_from_ldap(user_profile, ldap_user)
ldap: Add ability to automatically sync custom profile fields.
2019-01-29 13:39:21 +01:00
self.sync_custom_profile_fields_from_ldap(user_profile, ldap_user)
ldap: Remove some unnecessary indentation. We created this redundant pair of conditionals in a preceding commit, in order to match the indentation of an `except` block so as to slice the diffs extra finely as we're refactoring auth code.
2017-11-18 01:12:05 +01:00
return user_profile, True
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
ldap: Fix error while updating a user registered in multiple realms. Previously, the LDAP code for syncing user data was not multiple-realm-aware, resulting in errors trying to sync data for an LDAP user present in multiple realms. Tweaked by tabbott to add some extended comments. Fixes #11520.
2019-11-09 00:27:18 +01:00
class ZulipLDAPUser(_LDAPUser):
"""
This is an extension of the _LDAPUser class, with a realm attribute
attached to it. It's purpose is to call its inherited method
populate_user() which will sync the ldap data with the corresponding
UserProfile. The realm attribute serves to uniquely identify the UserProfile
in case the ldap user is registered to multiple realms.
"""
python: Whitespace fixes from autopep8. Generated by autopep8, with the setup.cfg configuration from #14532. I’m not sure why pycodestyle didn’t already flag these. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:45:30 +02:00
ldap: Fix error while updating a user registered in multiple realms. Previously, the LDAP code for syncing user data was not multiple-realm-aware, resulting in errors trying to sync data for an LDAP user present in multiple realms. Tweaked by tabbott to add some extended comments. Fixes #11520.
2019-11-09 00:27:18 +01:00
def __init__(self, *args: Any, **kwargs: Any) -> None:
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
self.realm: Realm = kwargs['realm']
ldap: Fix error while updating a user registered in multiple realms. Previously, the LDAP code for syncing user data was not multiple-realm-aware, resulting in errors trying to sync data for an LDAP user present in multiple realms. Tweaked by tabbott to add some extended comments. Fixes #11520.
2019-11-09 00:27:18 +01:00
del kwargs['realm']
super().__init__(*args, **kwargs)
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
class ZulipLDAPUserPopulator(ZulipLDAPAuthBackendBase):
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
"""Just like ZulipLDAPAuthBackend, but doesn't let you log in. Used
for syncing data like names, avatars, and custom profile fields
from LDAP in `manage.py sync_ldap_user_data` as well as in
registration for organizations that use a different SSO solution
for managing login (often via RemoteUserBackend).
"""
python: Whitespace fixes from autopep8. Generated by autopep8, with the setup.cfg configuration from #14532. I’m not sure why pycodestyle didn’t already flag these. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:45:30 +02:00
auth: Give all backend authenticate() optional request argument. This is required for our migration to Django 2.2. authenticate() definitions need to have that starting with Django 2.1. rate_limit_auth needs to be adjusted to expect the request in the first positional argument instead of a kwarg.
2020-02-04 14:04:10 +01:00
def authenticate(self, request: Optional[HttpRequest]=None, *,
username: str, password: str, realm: Realm,
authenticate: Remove default values for required parameters. It is now the caller’s responsibility to check that realm is not None. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-05 01:04:48 +02:00
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
return None
Add a new dev login page for logging in without a password on the dev VM. (imported from commit ac8f2504771c9907b7e92dc91cec5f7220ce951b)
2015-08-19 02:58:20 +02:00
ldap: Move ZulipLDAPAuthBackendBase.get_or_build_user definition. This function is inherited by ZulipLDAPUserPopulator and overriden by ZulipLDAPAuthBackend, so it's more clear to have it simply defined in ZulipLDAPUserPopulator directly.
2019-10-26 23:28:01 +02:00
def get_or_build_user(self, username: str,
ldap: Fix error while updating a user registered in multiple realms. Previously, the LDAP code for syncing user data was not multiple-realm-aware, resulting in errors trying to sync data for an LDAP user present in multiple realms. Tweaked by tabbott to add some extended comments. Fixes #11520.
2019-11-09 00:27:18 +01:00
ldap_user: ZulipLDAPUser) -> Tuple[UserProfile, bool]:
ldap: Move ZulipLDAPAuthBackendBase.get_or_build_user definition. This function is inherited by ZulipLDAPUserPopulator and overriden by ZulipLDAPAuthBackend, so it's more clear to have it simply defined in ZulipLDAPUserPopulator directly.
2019-10-26 23:28:01 +02:00
"""This is used only in non-authentication contexts such as:
./manage.py sync_ldap_user_data
"""
# Obtain the django username from the ldap_user object:
username = self.user_email_from_ldapuser(username, ldap_user)
ldap: Fix error while updating a user registered in multiple realms. Previously, the LDAP code for syncing user data was not multiple-realm-aware, resulting in errors trying to sync data for an LDAP user present in multiple realms. Tweaked by tabbott to add some extended comments. Fixes #11520.
2019-11-09 00:27:18 +01:00
# We set the built flag (which tells django-auth-ldap whether the user object
# was taken from the database or freshly built) to False - because in this codepath
# the user we're syncing of course already has to exist in the database.
user = get_user_by_delivery_email(username, ldap_user.realm)
built = False
ldap: Move ZulipLDAPAuthBackendBase.get_or_build_user definition. This function is inherited by ZulipLDAPUserPopulator and overriden by ZulipLDAPAuthBackend, so it's more clear to have it simply defined in ZulipLDAPUserPopulator directly.
2019-10-26 23:28:01 +02:00
# Synchronise the UserProfile with its LDAP attributes:
if 'userAccountControl' in settings.AUTH_LDAP_USER_ATTR_MAP:
user_disabled_in_ldap = self.is_account_control_disabled_user(ldap_user)
if user_disabled_in_ldap:
if user.is_active:
ldap: Use zulip.ldap logger in ZulipLDAPUserPopulator.
2020-07-17 15:39:59 +02:00
ldap_logger.info("Deactivating user %s because they are disabled in LDAP.",
user.delivery_email)
ldap: Move ZulipLDAPAuthBackendBase.get_or_build_user definition. This function is inherited by ZulipLDAPUserPopulator and overriden by ZulipLDAPAuthBackend, so it's more clear to have it simply defined in ZulipLDAPUserPopulator directly.
2019-10-26 23:28:01 +02:00
do_deactivate_user(user)
# Do an early return to avoid trying to sync additional data.
return (user, built)
elif not user.is_active:
ldap: Use zulip.ldap logger in ZulipLDAPUserPopulator.
2020-07-17 15:39:59 +02:00
ldap_logger.info("Reactivating user %s because they are not disabled in LDAP.",
user.delivery_email)
ldap: Move ZulipLDAPAuthBackendBase.get_or_build_user definition. This function is inherited by ZulipLDAPUserPopulator and overriden by ZulipLDAPAuthBackend, so it's more clear to have it simply defined in ZulipLDAPUserPopulator directly.
2019-10-26 23:28:01 +02:00
do_reactivate_user(user)
self.sync_avatar_from_ldap(user, ldap_user)
self.sync_full_name_from_ldap(user, ldap_user)
self.sync_custom_profile_fields_from_ldap(user, ldap_user)
return (user, built)
ldap: Fix unintended user deactivation in case of connection failure. Fixes #13130. django_auth_ldap doesn't give any other way of detecting that LDAPError happened other than catching the signal it emits - so we have to register a receiver. In the receiver we just raise our own Exception which will properly propagate without being silenced by django_auth_ldap. This will stop execution before the user gets deactivated.
2019-09-04 10:11:25 +02:00
class PopulateUserLDAPError(ZulipLDAPException):
pass
@receiver(ldap_error, sender=ZulipLDAPUserPopulator)
def catch_ldap_error(signal: Signal, **kwargs: Any) -> None:
"""
Inside django_auth_ldap populate_user(), if LDAPError is raised,
e.g. due to invalid connection credentials, the function catches it
and emits a signal (ldap_error) to communicate this error to others.
We normally don't use signals, but here there's no choice, so in this function
we essentially convert the signal to a normal exception that will properly
propagate out of django_auth_ldap internals.
"""
if kwargs['context'] == 'populate_user':
# The exception message can contain the password (if it was invalid),
# so it seems better not to log that, and only use the original exception's name here.
raise PopulateUserLDAPError(kwargs['exception'].__class__.__name__)
ldap: Fix logging of warning for deactivated users. Also cleans up the interface between the management command and the LDAP backends code to not guess/recompute under what circumstances what should be logged. Co-authored-by: mateuszmandera <mateusz.mandera@protonmail.com>
2019-08-26 21:13:23 +02:00
def sync_user_from_ldap(user_profile: UserProfile, logger: logging.Logger) -> bool:
management: Extract `sync_user_from_ldap()`.
2019-01-12 12:32:54 +01:00
backend = ZulipLDAPUserPopulator()
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
try:
ldap: Fix bad interaction between EMAIL_ADDRESS_VISIBILITY and LDAP sync. A block of LDAP integration code related to data synchronization did not correctly handle EMAIL_ADDRESS_VISIBILITY_ADMINS, as it was accessing .email, not .delivery_email, both for logging and doing the mapping between email addresses and LDAP users. Fixes #13539.
2019-12-15 20:10:09 +01:00
ldap_username = backend.django_to_ldap_username(user_profile.delivery_email)
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
except ZulipLDAPExceptionNoMatchingLDAPUser:
settings: Move LDAP_DEACTIVATE_NON_MATCHING_USERS default to default_settings. Tweaked by tabbott to fix an incorrect translation to ONLY_SSO. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-10 06:06:57 +02:00
if (
settings.ONLY_LDAP
if settings.LDAP_DEACTIVATE_NON_MATCHING_USERS is None
else settings.LDAP_DEACTIVATE_NON_MATCHING_USERS
):
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
do_deactivate_user(user_profile)
logging: Pass format arguments to logging. https://docs.python.org/3/howto/logging.html#optimization Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-05-02 08:44:14 +02:00
logger.info("Deactivated non-matching user: %s", user_profile.delivery_email)
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
return True
elif user_profile.is_active:
logging: Pass format arguments to logging. https://docs.python.org/3/howto/logging.html#optimization Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-05-02 08:44:14 +02:00
logger.warning("Did not find %s in LDAP.", user_profile.delivery_email)
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
return False
ldap: Fix error while updating a user registered in multiple realms. Previously, the LDAP code for syncing user data was not multiple-realm-aware, resulting in errors trying to sync data for an LDAP user present in multiple realms. Tweaked by tabbott to add some extended comments. Fixes #11520.
2019-11-09 00:27:18 +01:00
# What one would expect to see like to do here is just a call to
# `backend.populate_user`, which in turn just creates the
# `_LDAPUser` object and calls `ldap_user.populate_user()` on
# that. Unfortunately, that will produce incorrect results in the
# case that the server has multiple Zulip users in different
# realms associated with a single LDAP user, because
# `django-auth-ldap` isn't implemented with the possibility of
# multiple realms on different subdomains in mind.
#
# To address this, we construct a version of the _LDAPUser class
# extended to store the realm of the target user, and call its
# `.populate_user` function directly.
#
# Ideally, we'd contribute changes to `django-auth-ldap` upstream
# making this flow possible in a more directly supported fashion.
updated_user = ZulipLDAPUser(backend, ldap_username, realm=user_profile.realm).populate_user()
ldap: Fix logging of warning for deactivated users. Also cleans up the interface between the management command and the LDAP backends code to not guess/recompute under what circumstances what should be logged. Co-authored-by: mateuszmandera <mateusz.mandera@protonmail.com>
2019-08-26 21:13:23 +02:00
if updated_user:
logging: Pass format arguments to logging. https://docs.python.org/3/howto/logging.html#optimization Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-05-02 08:44:14 +02:00
logger.info("Updated %s.", user_profile.delivery_email)
ldap: Fix logging of warning for deactivated users. Also cleans up the interface between the management command and the LDAP backends code to not guess/recompute under what circumstances what should be logged. Co-authored-by: mateuszmandera <mateusz.mandera@protonmail.com>
2019-08-26 21:13:23 +02:00
return True
python: Convert "".format to Python 3.6 f-strings. Generated by pyupgrade --py36-plus --keep-percent-format, but with the NamedTuple changes reverted (see commit ba7906a3c657905fa35bbcfb4e97b053f050272d, #15132). Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-09 00:25:09 +02:00
raise PopulateUserLDAPError(f"populate_user unexpectedly returned {updated_user}")
management: Extract `sync_user_from_ldap()`.
2019-01-12 12:32:54 +01:00
management: Move `query_ldap` function to `zproject/backends.py`. This will make it simpler to organize and unit-test all of our authentication backend code.
2019-03-09 07:52:14 +01:00
# Quick tool to test whether you're correctly authenticating to LDAP
tests: Refactor `query_ldap()` and add complete test coverage.
2019-03-09 08:32:06 +01:00
def query_ldap(email: str) -> List[str]:
values = []
backend = next((backend for backend in get_backends() if isinstance(backend, LDAPBackend)), None)
if backend is not None:
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
try:
ldap_username = backend.django_to_ldap_username(email)
ldap: Improve logging. Our ldap integration is quite sensitive to misconfigurations, so more logging is better than less to help debug those issues. Despite the following docstring on ZulipLDAPException: "Since this inherits from _LDAPUser.AuthenticationFailed, these will be caught and logged at debug level inside django-auth-ldap's authenticate()" We weren't actually logging anything, because debug level messages were ignored due to our general logging settings. It is however desirable to log these errors, as they can prove useful in debugging configuration problems. The django_auth_ldap logger can get fairly spammy on debug level, so we delegate ldap logging to a separate file /var/log/zulip/ldap.log to avoid spamming server.log too much.
2019-12-27 23:03:00 +01:00
except ZulipLDAPExceptionNoMatchingLDAPUser as e:
python: Convert "".format to Python 3.6 f-strings. Generated by pyupgrade --py36-plus --keep-percent-format, but with the NamedTuple changes reverted (see commit ba7906a3c657905fa35bbcfb4e97b053f050272d, #15132). Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-09 00:25:09 +02:00
values.append(f"No such user found: {e}")
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
return values
ldap_attrs = _LDAPUser(backend, ldap_username).attrs
for django_field, ldap_field in settings.AUTH_LDAP_USER_ATTR_MAP.items():
python: Use trailing commas consistently. Automatically generated by the following script, based on the output of lint with flake8-comma: import re import sys last_filename = None last_row = None lines = [] for msg in sys.stdin: m = re.match( r"\x1b\[35mflake8 \|\x1b\[0m \x1b\[1;31m(.+):(\d+):(\d+): (\w+)", msg ) if m: filename, row_str, col_str, err = m.groups() row, col = int(row_str), int(col_str) if filename == last_filename: assert last_row != row else: if last_filename is not None: with open(last_filename, "w") as f: f.writelines(lines) with open(filename) as f: lines = f.readlines() last_filename = filename last_row = row line = lines[row - 1] if err in ["C812", "C815"]: lines[row - 1] = line[: col - 1] + "," + line[col - 1 :] elif err in ["C819"]: assert line[col - 2] == "," lines[row - 1] = line[: col - 2] + line[col - 1 :].lstrip(" ") if last_filename is not None: with open(last_filename, "w") as f: f.writelines(lines) Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-10 05:23:40 +02:00
value = ldap_attrs.get(ldap_field, ["LDAP field not present"])[0]
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
if django_field == "avatar":
if isinstance(value, bytes):
value = "(An avatar image file)"
python: Convert percent formatting to Python 3.6 f-strings. Generated by pyupgrade --py36-plus. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-10 06:41:04 +02:00
values.append(f"{django_field}: {value}")
ldap: Ensure django_to_ldap_username returns username that is in ldap. This changes the way django_to_ldap_username works to make sure the ldap username it returns actually has a corresponding ldap entry and raise an exception if that's not possible. It seems to be a more sound approach than just having it return its best guess - which was the case so far. Now there is a guarantee that what it returns is the username of an actual ldap user. This allows communicating to the registration flow when the email being registered doesn't belong to ldap, which then will proceed to register it via the normal email backend flow - finally fixing the bug where you couldn't register a non-ldap email even with the email backend enabled. These changes to the behavior of django_to_ldap_username require small refactorings in a couple of other functions that call it, as well as adapting some tests to these changes. Finally, additional tests are added for the above-mentioned registration flow behavior and some related corner-cases.
2019-10-25 02:26:05 +02:00
if settings.LDAP_EMAIL_ATTR is not None:
python: Convert percent formatting to Python 3.6 f-strings. Generated by pyupgrade --py36-plus. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-10 06:41:04 +02:00
values.append("{}: {}".format('email', ldap_attrs[settings.LDAP_EMAIL_ATTR][0]))
tests: Refactor `query_ldap()` and add complete test coverage.
2019-03-09 08:32:06 +01:00
else:
values.append("LDAP backend not configured on this server.")
return values
management: Move `query_ldap` function to `zproject/backends.py`. This will make it simpler to organize and unit-test all of our authentication backend code.
2019-03-09 07:52:14 +01:00
Add a new dev login page for logging in without a password on the dev VM. (imported from commit ac8f2504771c9907b7e92dc91cec5f7220ce951b)
2015-08-19 02:58:20 +02:00
class DevAuthBackend(ZulipAuthMixin):
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
"""Allow logging in as any user without a password. This is used for
convenience when developing Zulip, and is disabled in production."""
python: Whitespace fixes from autopep8. Generated by autopep8, with the setup.cfg configuration from #14532. I’m not sure why pycodestyle didn’t already flag these. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:45:30 +02:00
auth: Add auth_name attribute for non external auth backends. This commit adds `name` attribute for the backends that do not have them. This is just a kind of prep commit in case if we want to use `self.logger.xxxx()` in the future which is dependent on the `name` attribute. But right now these logging calls aren't used anywhere in those backends.
2020-06-03 13:18:08 +02:00
name = 'dev'
auth: Give all backend authenticate() optional request argument. This is required for our migration to Django 2.2. authenticate() definitions need to have that starting with Django 2.1. rate_limit_auth needs to be adjusted to expect the request in the first positional argument instead of a kwarg.
2020-02-04 14:04:10 +01:00
def authenticate(self, request: Optional[HttpRequest]=None, *,
dev_auth_username: str, realm: Realm,
backends: Convert authenticate methods to modern type annotations.
2017-11-21 20:47:26 +01:00
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
auth: Check for DevAuthBackend being enabled earlier.
2017-11-21 21:19:58 +01:00
if not dev_auth_enabled(realm):
return None
auth: Convert DevAuthBackend to use new helper.
2017-11-21 21:20:44 +01:00
return common_get_active_user(dev_auth_username, realm, return_data=return_data)
Add GitHub authentication. Fixes: #1042
2016-07-20 13:33:27 +02:00
python: Convert TypedDict declarations to Python 3.6 style. A subset of the diff generated by pyupgrade --py36-plus --keep-percent-format. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-05-02 06:24:43 +02:00
class ExternalAuthMethodDictT(TypedDict):
name: str
display_name: str
display_icon: Optional[str]
login_url: str
signup_url: str
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
class ExternalAuthMethod(ABC):
"""
To register a backend as an external_authentication_method, it should
subclass ExternalAuthMethod and define its dict_representation
classmethod, and finally use the external_auth_method class decorator to
get added to the EXTERNAL_AUTH_METHODS list.
"""
auth_backend_name = "undeclared"
name = "undeclared"
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
display_icon: Optional[str] = None
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
# Used to determine how to order buttons on login form, backend with
# higher sort order are displayed first.
sort_order = 0
@classmethod
@abstractmethod
saml: Implement limiting of IdP to specified realms. Through the limit_to_subdomains setting on IdP dicts it's now possible to limit the IdP to only allow authenticating to the specified realms. Fixes #13340.
2020-04-10 16:30:02 +02:00
def dict_representation(cls, realm: Optional[Realm]=None) -> List[ExternalAuthMethodDictT]:
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
"""
Method returning dictionaries representing the authentication methods
corresponding to the backend that subclasses this. The documentation
for the external_authentication_methods field of the /server_settings endpoint
explains the details of these dictionaries.
This returns a list, because one backend can support configuring multiple methods,
that are all serviced by that backend - our SAML backend is an example of that.
"""
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
EXTERNAL_AUTH_METHODS: List[Type[ExternalAuthMethod]] = []
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
def external_auth_method(cls: Type[ExternalAuthMethod]) -> Type[ExternalAuthMethod]:
assert issubclass(cls, ExternalAuthMethod)
EXTERNAL_AUTH_METHODS.append(cls)
return cls
auth: Add ExternalAuthResult to manage data in authentication flows. This new type eliminates a bunch of messy code that previously involved passing around long lists of mixed positional keyword and arguments, instead using a consistent data object for communicating about the state of an external authentication (constructed in backends.py). The result is a significantly more readable interface between zproject/backends.py and zerver/views/auth.py, though likely more could be done. This has the side effect of renaming fields for internally passed structures from name->full_name, next->redirect_to; this results in most of the test codebase changes. Modified by tabbott to add comments and collaboratively rewrite the initialization logic.
2020-02-23 18:58:08 +01:00
# We want to be able to store this data in redis, so it has to be easy to serialize.
# That's why we avoid having fields that could pose a problem for that.
backends: Convert ExternalAuthDataDict to Python 3.6 style. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-13 09:36:36 +02:00
class ExternalAuthDataDict(TypedDict, total=False):
subdomain: str
full_name: str
email: str
is_signup: bool
is_realm_creation: bool
redirect_to: str
mobile_flow_otp: Optional[str]
desktop_flow_otp: Optional[str]
multiuse_object_key: str
full_name_validated: bool
auth: Add ExternalAuthResult to manage data in authentication flows. This new type eliminates a bunch of messy code that previously involved passing around long lists of mixed positional keyword and arguments, instead using a consistent data object for communicating about the state of an external authentication (constructed in backends.py). The result is a significantly more readable interface between zproject/backends.py and zerver/views/auth.py, though likely more could be done. This has the side effect of renaming fields for internally passed structures from name->full_name, next->redirect_to; this results in most of the test codebase changes. Modified by tabbott to add comments and collaboratively rewrite the initialization logic.
2020-02-23 18:58:08 +01:00
class ExternalAuthResult:
LOGIN_KEY_PREFIX = "login_key_"
LOGIN_KEY_FORMAT = LOGIN_KEY_PREFIX + "{token}"
LOGIN_KEY_EXPIRATION_SECONDS = 15
LOGIN_TOKEN_LENGTH = UserProfile.API_KEY_LENGTH
def __init__(self, *, user_profile: Optional[UserProfile]=None,
data_dict: Optional[ExternalAuthDataDict]=None,
login_token: Optional[str]=None,
delete_stored_data: bool=True) -> None:
if data_dict is None:
data_dict = {}
if login_token is not None:
assert (not data_dict) and (user_profile is None), ("Passing in data_dict or user_profile " +
"with login_token is disallowed.")
self.instantiate_with_token(login_token, delete_stored_data)
else:
auth: Avoid unchecked casts. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-23 00:39:19 +02:00
self.data_dict = data_dict.copy()
auth: Add ExternalAuthResult to manage data in authentication flows. This new type eliminates a bunch of messy code that previously involved passing around long lists of mixed positional keyword and arguments, instead using a consistent data object for communicating about the state of an external authentication (constructed in backends.py). The result is a significantly more readable interface between zproject/backends.py and zerver/views/auth.py, though likely more could be done. This has the side effect of renaming fields for internally passed structures from name->full_name, next->redirect_to; this results in most of the test codebase changes. Modified by tabbott to add comments and collaboratively rewrite the initialization logic.
2020-02-23 18:58:08 +01:00
self.user_profile = user_profile
if self.user_profile is not None:
# Ensure data inconsistent with the user_profile wasn't passed in inside the data_dict argument.
assert 'full_name' not in data_dict or data_dict['full_name'] == self.user_profile.full_name
auth: Treat emails case-insensitively in ExternalAuthResult. Our intent throughout the codebase is to treat email case-insensitively. The only codepath affected by this bug is remote_user_sso, as that's the only one that currently passes potentially both a user_profile and ExternalAuthDataDict when creating the ExternalAuthResult. That's why we add a test specifically for that codepath.
2020-08-05 16:40:41 +02:00
assert 'email' not in data_dict or data_dict['email'].lower() == self.user_profile.delivery_email.lower()
auth: Add ExternalAuthResult to manage data in authentication flows. This new type eliminates a bunch of messy code that previously involved passing around long lists of mixed positional keyword and arguments, instead using a consistent data object for communicating about the state of an external authentication (constructed in backends.py). The result is a significantly more readable interface between zproject/backends.py and zerver/views/auth.py, though likely more could be done. This has the side effect of renaming fields for internally passed structures from name->full_name, next->redirect_to; this results in most of the test codebase changes. Modified by tabbott to add comments and collaboratively rewrite the initialization logic.
2020-02-23 18:58:08 +01:00
# Update these data_dict fields to ensure consistency with self.user_profile. This is mostly
# defensive code, but is useful in these scenarios:
# 1. user_profile argument was passed in, and no full_name or email_data in the data_dict arg.
# 2. We're instantiating from the login_token and the user has changed their full_name since
# the data was stored under the token.
self.data_dict['full_name'] = self.user_profile.full_name
self.data_dict['email'] = self.user_profile.delivery_email
if 'subdomain' not in self.data_dict:
self.data_dict['subdomain'] = self.user_profile.realm.subdomain
if not self.user_profile.is_mirror_dummy:
self.data_dict['is_signup'] = False
def store_data(self) -> str:
auth: Avoid unchecked casts. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-23 00:39:19 +02:00
key = put_dict_in_redis(redis_client, self.LOGIN_KEY_FORMAT, self.data_dict,
auth: Add ExternalAuthResult to manage data in authentication flows. This new type eliminates a bunch of messy code that previously involved passing around long lists of mixed positional keyword and arguments, instead using a consistent data object for communicating about the state of an external authentication (constructed in backends.py). The result is a significantly more readable interface between zproject/backends.py and zerver/views/auth.py, though likely more could be done. This has the side effect of renaming fields for internally passed structures from name->full_name, next->redirect_to; this results in most of the test codebase changes. Modified by tabbott to add comments and collaboratively rewrite the initialization logic.
2020-02-23 18:58:08 +01:00
expiration_seconds=self.LOGIN_KEY_EXPIRATION_SECONDS,
token_length=self.LOGIN_TOKEN_LENGTH)
token = key.split(self.LOGIN_KEY_PREFIX, 1)[1] # remove the prefix
return token
def instantiate_with_token(self, token: str, delete_stored_data: bool=True) -> None:
key = self.LOGIN_KEY_FORMAT.format(token=token)
data = get_dict_from_redis(redis_client, self.LOGIN_KEY_FORMAT, key)
if data is None or None in [data.get("email"), data.get("subdomain")]:
raise self.InvalidTokenError
if delete_stored_data:
redis_client.delete(key)
self.data_dict = cast(ExternalAuthDataDict, data)
# Here we refetch the UserProfile object (if any) for this
# ExternalAuthResult. Using authenticate() will re-check for
# (unlikely) races like the realm or user having been deactivated
# between generating this ExternalAuthResult and accessing it.
#
# In theory, we should return_data here so the caller can do
# more customized error messages for those unlikely races, but
# it's likely not worth implementing.
realm = get_realm(data['subdomain'])
self.user_profile = authenticate(username=data['email'], realm=realm,
use_dummy_backend=True)
class InvalidTokenError(Exception):
pass
auth: Merge RemoteUserBackend into external_authentication_methods. We register ZulipRemoteUserBackend as an external_authentication_method to make it show up in the corresponding field in the /server_settings endpoint. This also allows rendering its login button together with Google/Github/etc. leading to us being able to get rid of some of the code that was handling it as a special case - the js code for plumbing the "next" value and the special {% if only_sso %} block in login.html. An additional consequence of the login.html change is that now the backend will have it button rendered even if it isn't the only backend enabled on the server.
2019-12-10 00:42:12 +01:00
@external_auth_method
class ZulipRemoteUserBackend(RemoteUserBackend, ExternalAuthMethod):
"""Authentication backend that reads the Apache REMOTE_USER variable.
Used primarily in enterprise environments with an SSO solution
that has an Apache REMOTE_USER integration. For manual testing, see
https://zulip.readthedocs.io/en/latest/production/authentication-methods.html
See also remote_user_sso in zerver/views/auth.py.
"""
auth_backend_name = "RemoteUser"
name = "remoteuser"
display_icon = None
python: Pre-fix a few spots for better Black formatting. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-09-02 02:50:08 +02:00
# If configured, this backend should have its button near the top of the list.
sort_order = 9000
auth: Merge RemoteUserBackend into external_authentication_methods. We register ZulipRemoteUserBackend as an external_authentication_method to make it show up in the corresponding field in the /server_settings endpoint. This also allows rendering its login button together with Google/Github/etc. leading to us being able to get rid of some of the code that was handling it as a special case - the js code for plumbing the "next" value and the special {% if only_sso %} block in login.html. An additional consequence of the login.html change is that now the backend will have it button rendered even if it isn't the only backend enabled on the server.
2019-12-10 00:42:12 +01:00
create_unknown_user = False
auth: Give all backend authenticate() optional request argument. This is required for our migration to Django 2.2. authenticate() definitions need to have that starting with Django 2.1. rate_limit_auth needs to be adjusted to expect the request in the first positional argument instead of a kwarg.
2020-02-04 14:04:10 +01:00
def authenticate(self, request: Optional[HttpRequest]=None, *,
remote_user: str, realm: Realm,
auth: Merge RemoteUserBackend into external_authentication_methods. We register ZulipRemoteUserBackend as an external_authentication_method to make it show up in the corresponding field in the /server_settings endpoint. This also allows rendering its login button together with Google/Github/etc. leading to us being able to get rid of some of the code that was handling it as a special case - the js code for plumbing the "next" value and the special {% if only_sso %} block in login.html. An additional consequence of the login.html change is that now the backend will have it button rendered even if it isn't the only backend enabled on the server.
2019-12-10 00:42:12 +01:00
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
if not auth_enabled_helper(["RemoteUser"], realm):
return None
email = remote_user_to_email(remote_user)
return common_get_active_user(email, realm, return_data=return_data)
@classmethod
saml: Implement limiting of IdP to specified realms. Through the limit_to_subdomains setting on IdP dicts it's now possible to limit the IdP to only allow authenticating to the specified realms. Fixes #13340.
2020-04-10 16:30:02 +02:00
def dict_representation(cls, realm: Optional[Realm]=None) -> List[ExternalAuthMethodDictT]:
auth: Merge RemoteUserBackend into external_authentication_methods. We register ZulipRemoteUserBackend as an external_authentication_method to make it show up in the corresponding field in the /server_settings endpoint. This also allows rendering its login button together with Google/Github/etc. leading to us being able to get rid of some of the code that was handling it as a special case - the js code for plumbing the "next" value and the special {% if only_sso %} block in login.html. An additional consequence of the login.html change is that now the backend will have it button rendered even if it isn't the only backend enabled on the server.
2019-12-10 00:42:12 +01:00
return [dict(
name=cls.name,
display_name="SSO",
display_icon=cls.display_icon,
# The user goes to the same URL for both login and signup:
auth: Delegate RemoteUser SSO to browser when using the desktop app.
2020-06-01 14:24:21 +02:00
login_url=reverse('start-login-sso'),
signup_url=reverse('start-login-sso'),
auth: Merge RemoteUserBackend into external_authentication_methods. We register ZulipRemoteUserBackend as an external_authentication_method to make it show up in the corresponding field in the /server_settings endpoint. This also allows rendering its login button together with Google/Github/etc. leading to us being able to get rid of some of the code that was handling it as a special case - the js code for plumbing the "next" value and the special {% if only_sso %} block in login.html. An additional consequence of the login.html change is that now the backend will have it button rendered even if it isn't the only backend enabled on the server.
2019-12-10 00:42:12 +01:00
)]
auth: Redirect deactivated users with error for social auth backend. Fixes #11937. Also extracts the error message for a deactivated account to `DEACTIVATED_ACCOUNT_ERROR`.
2019-04-12 06:24:58 +02:00
def redirect_deactivated_user_to_login() -> HttpResponseRedirect:
auth: Redirect deactivated user to /login when attempting social login. (#12130)
2019-04-17 21:28:57 +02:00
# Specifying the template name makes sure that the user is not redirected to dev_login in case of
# a deactivated account on a test server.
login_url = reverse('zerver.views.auth.login_page', kwargs = {'template_name': 'zerver/login.html'})
auth: Redirect deactivated users with error for social auth backend. Fixes #11937. Also extracts the error message for a deactivated account to `DEACTIVATED_ACCOUNT_ERROR`.
2019-04-12 06:24:58 +02:00
redirect_url = login_url + '?is_deactivated=true'
return HttpResponseRedirect(redirect_url)
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
def social_associate_user_helper(backend: BaseAuth, return_data: Dict[str, Any],
auth: Fix return type annotations on social auth pipeline functions.
2020-02-13 14:10:57 +01:00
*args: Any, **kwargs: Any) -> Union[HttpResponse, Optional[UserProfile]]:
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
"""Responsible for doing the Zulip-account lookup and validation parts
of the Zulip Social auth pipeline (similar to the authenticate()
methods in most other auth backends in this file).
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
Returns a UserProfile object for successful authentication, and None otherwise.
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
"""
subdomain = backend.strategy.session_get('subdomain')
get_realm: raise DoesNotExist instead of returning None. This makes the implementation of `get_realm` consistent with its declared return type of `Realm` rather than `Optional[Realm]`. Fixes #12263. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-04 04:47:44 +02:00
try:
realm = get_realm(subdomain)
except Realm.DoesNotExist:
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
return_data["invalid_realm"] = True
return None
auth: Store realm id in return_data of social_associate_user_helper. Realm object is not json-serializable; store the realm id instead and retrieve the realm in social_auth_finish using `Realm.objects.get(id=return_data["realm_id"])`.
2018-07-10 12:29:06 +02:00
return_data["realm_id"] = realm.id
auth: Log when a user tries to login with deactivated account. Helps to see if users are often trying to login with deactived accounts. A use case: Trackdown whether any deactivated bot users are still trying to access the API. This implementation adds a new key `inactive_user_id` to `return_data` in the function `is_user_active` which check if a `user_profile` is active. This reduces the effort of getting `user_id` just before logging. Modified tests for line coverage.
2020-05-19 22:36:51 +02:00
return_data["realm_string_id"] = realm.string_id
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
if not auth_enabled_helper([backend.auth_backend_name], realm):
return_data["auth_backend_disabled"] = True
return None
Add GitHub authentication. Fixes: #1042
2016-07-20 13:33:27 +02:00
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
if 'auth_failed_reason' in kwargs.get('response', {}):
return_data["social_auth_failed_reason"] = kwargs['response']["auth_failed_reason"]
return None
github: Refactor email extraction to use the full emails data set. It's possible to make GitHub social authentication support letting the user pick which of their verified email addresses to pick, using the python-social-auth pipeline feature. We need to add an additional screen to let the user pick, so we're not adding support for that now, but this at least migrates this to use the data set of all emails that have been verified as associated with the user's GitHub account (and we just assume the user wants their primary email). This also fixes the inability for very old GitHub accounts (where the `email` field in the details might be a string the user wanted on their GitHub profile page) to using GitHub auth to login. Fixes #9127.
2018-06-07 00:19:06 +02:00
elif hasattr(backend, 'get_verified_emails'):
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
# Some social backends, like GitHubAuthBackend, don't
# guarantee that the `details` data is validated (i.e., it's
# possible users can put any string they want in the "email"
# field of the `details` object). For those backends, we have
# custom per-backend code to properly fetch only verified
# email addresses from the appropriate third-party API.
auth: Allow signing in to an existing account with noreply github email. In particular importing gitter data leads to having accounts with these noreply github emails. We generally only want users to have emails that we can actually send messages to, so we'll keep the old behavior of disallowing sign up with such an email address. However, if an account of this type already exists, we should allow the user to have access to it.
2020-07-22 18:31:56 +02:00
verified_emails = backend.get_verified_emails(realm, *args, **kwargs)
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
verified_emails_length = len(verified_emails)
if verified_emails_length == 0:
github: Refactor email extraction to use the full emails data set. It's possible to make GitHub social authentication support letting the user pick which of their verified email addresses to pick, using the python-social-auth pipeline feature. We need to add an additional screen to let the user pick, so we're not adding support for that now, but this at least migrates this to use the data set of all emails that have been verified as associated with the user's GitHub account (and we just assume the user wants their primary email). This also fixes the inability for very old GitHub accounts (where the `email` field in the details might be a string the user wanted on their GitHub profile page) to using GitHub auth to login. Fixes #9127.
2018-06-07 00:19:06 +02:00
# TODO: Provide a nice error message screen to the user
# for this case, rather than just logging a warning.
logging: Set up a different logger for each backend. Adds a top-level logger in `settings.LOGGING` `zulip.auth` with the default handlers `DEFAULT_ZULIP_HANDLERS` and an extra hanlder that writes to `/var/log/zulip/auth.log`. Each auth backend uses it's own logger, `self.logger` which is in form 'zulip.auth.<backend name>'. This way it's clear which auth backend generated the log and is easier to look for all authentication logs in one file. Besides the above mentioned changes, `name` attribute is added to `ZulipAuthMixin` so that these logging kind of calls wouldn't raise any issues when logging is tried in a class without `name` attribute. Also in the tests we use a new way to check if logger calls are made i.e. we use `assertLogs` to test if something is logged. Thanks to Mateusz Mandera for the idea of having a seperate logger for auth backends and suggestion of using `assertLogs`.
2020-06-02 20:20:53 +02:00
backend.logger.warning("Social auth (%s) failed because user has no verified emails",
backend.auth_backend_name)
github: Refactor email extraction to use the full emails data set. It's possible to make GitHub social authentication support letting the user pick which of their verified email addresses to pick, using the python-social-auth pipeline feature. We need to add an additional screen to let the user pick, so we're not adding support for that now, but this at least migrates this to use the data set of all emails that have been verified as associated with the user's GitHub account (and we just assume the user wants their primary email). This also fixes the inability for very old GitHub accounts (where the `email` field in the details might be a string the user wanted on their GitHub profile page) to using GitHub auth to login. Fixes #9127.
2018-06-07 00:19:06 +02:00
return_data["email_not_verified"] = True
return None
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
if verified_emails_length == 1:
chosen_email = verified_emails[0]
else:
chosen_email = backend.strategy.request_data().get('email')
if not chosen_email:
auth: Add logic for avatars to the GitHub auth email selection page. For the emails that are associated to an existing account in an organisation, the avatars will be displayed in the email selection page. This includes avatar data in what is passed to the page. Added `avatar_urls` to the context in `test_templates.py`.
2019-08-03 14:15:32 +02:00
avatars = {} # Dict[str, str]
auth: Improve GitHub auth with multiple verified emails. The previous model for GitHub authentication was as follows: * If the user has only one verified email address, we'll generally just log them in to that account * If the user has multiple verified email addresses, we will always prompt them to pick which one to use, with the one registered as "primary" in GitHub listed at the top. This change fixes the situation for users going through a "login" flow (not registration) where exactly one of the emails has an account in the Zulip oragnization -- they should just be logged in. Fixes part of #12638.
2019-12-30 20:31:36 +01:00
existing_account_emails = []
auth: Add logic for avatars to the GitHub auth email selection page. For the emails that are associated to an existing account in an organisation, the avatars will be displayed in the email selection page. This includes avatar data in what is passed to the page. Added `avatar_urls` to the context in `test_templates.py`.
2019-08-03 14:15:32 +02:00
for email in verified_emails:
existing_account = common_get_active_user(email, realm, {})
if existing_account is not None:
auth: Improve GitHub auth with multiple verified emails. The previous model for GitHub authentication was as follows: * If the user has only one verified email address, we'll generally just log them in to that account * If the user has multiple verified email addresses, we will always prompt them to pick which one to use, with the one registered as "primary" in GitHub listed at the top. This change fixes the situation for users going through a "login" flow (not registration) where exactly one of the emails has an account in the Zulip oragnization -- they should just be logged in. Fixes part of #12638.
2019-12-30 20:31:36 +01:00
existing_account_emails.append(email)
auth: Add logic for avatars to the GitHub auth email selection page. For the emails that are associated to an existing account in an organisation, the avatars will be displayed in the email selection page. This includes avatar data in what is passed to the page. Added `avatar_urls` to the context in `test_templates.py`.
2019-08-03 14:15:32 +02:00
avatars[email] = avatar_url(existing_account)
auth: Extend the template for "choose email" in GitHub auth flow. This commit extends the template for "choose email" to mention for users who have unverified emails that they need to verify them before using them for Zulip authentication. Also modified `social_auth_test_finish` to assert if all emails are present in "choose email" screen as we need unverified emails to be shown to user and verified emails to login/signup. Fixes #12638 as this was the last task for that issue.
2020-03-28 10:59:06 +01:00
auth: Improve GitHub auth with multiple verified emails. The previous model for GitHub authentication was as follows: * If the user has only one verified email address, we'll generally just log them in to that account * If the user has multiple verified email addresses, we will always prompt them to pick which one to use, with the one registered as "primary" in GitHub listed at the top. This change fixes the situation for users going through a "login" flow (not registration) where exactly one of the emails has an account in the Zulip oragnization -- they should just be logged in. Fixes part of #12638.
2019-12-30 20:31:36 +01:00
if (len(existing_account_emails) != 1 or backend.strategy.session_get('is_signup') == '1'):
auth: Extend the template for "choose email" in GitHub auth flow. This commit extends the template for "choose email" to mention for users who have unverified emails that they need to verify them before using them for Zulip authentication. Also modified `social_auth_test_finish` to assert if all emails are present in "choose email" screen as we need unverified emails to be shown to user and verified emails to login/signup. Fixes #12638 as this was the last task for that issue.
2020-03-28 10:59:06 +01:00
unverified_emails = []
if hasattr(backend, 'get_unverified_emails'):
auth: Allow signing in to an existing account with noreply github email. In particular importing gitter data leads to having accounts with these noreply github emails. We generally only want users to have emails that we can actually send messages to, so we'll keep the old behavior of disallowing sign up with such an email address. However, if an account of this type already exists, we should allow the user to have access to it.
2020-07-22 18:31:56 +02:00
unverified_emails = backend.get_unverified_emails(realm, *args, **kwargs)
auth: Improve GitHub auth with multiple verified emails. The previous model for GitHub authentication was as follows: * If the user has only one verified email address, we'll generally just log them in to that account * If the user has multiple verified email addresses, we will always prompt them to pick which one to use, with the one registered as "primary" in GitHub listed at the top. This change fixes the situation for users going through a "login" flow (not registration) where exactly one of the emails has an account in the Zulip oragnization -- they should just be logged in. Fixes part of #12638.
2019-12-30 20:31:36 +01:00
return render(backend.strategy.request, 'zerver/social_auth_select_email.html', context = {
'primary_email': verified_emails[0],
'verified_non_primary_emails': verified_emails[1:],
auth: Extend the template for "choose email" in GitHub auth flow. This commit extends the template for "choose email" to mention for users who have unverified emails that they need to verify them before using them for Zulip authentication. Also modified `social_auth_test_finish` to assert if all emails are present in "choose email" screen as we need unverified emails to be shown to user and verified emails to login/signup. Fixes #12638 as this was the last task for that issue.
2020-03-28 10:59:06 +01:00
'unverified_emails': unverified_emails,
auth: Improve GitHub auth with multiple verified emails. The previous model for GitHub authentication was as follows: * If the user has only one verified email address, we'll generally just log them in to that account * If the user has multiple verified email addresses, we will always prompt them to pick which one to use, with the one registered as "primary" in GitHub listed at the top. This change fixes the situation for users going through a "login" flow (not registration) where exactly one of the emails has an account in the Zulip oragnization -- they should just be logged in. Fixes part of #12638.
2019-12-30 20:31:36 +01:00
'backend': 'github',
'avatar_urls': avatars,
})
else:
chosen_email = existing_account_emails[0]
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
try:
validate_email(chosen_email)
except ValidationError:
return_data['invalid_email'] = True
return None
if chosen_email not in verified_emails:
# If a user edits the submit value for the choose email form, we might
# end up with a wrong email associated with the account. The below code
# takes care of that.
logging: Set up a different logger for each backend. Adds a top-level logger in `settings.LOGGING` `zulip.auth` with the default handlers `DEFAULT_ZULIP_HANDLERS` and an extra hanlder that writes to `/var/log/zulip/auth.log`. Each auth backend uses it's own logger, `self.logger` which is in form 'zulip.auth.<backend name>'. This way it's clear which auth backend generated the log and is easier to look for all authentication logs in one file. Besides the above mentioned changes, `name` attribute is added to `ZulipAuthMixin` so that these logging kind of calls wouldn't raise any issues when logging is tried in a class without `name` attribute. Also in the tests we use a new way to check if logger calls are made i.e. we use `assertLogs` to test if something is logged. Thanks to Mateusz Mandera for the idea of having a seperate logger for auth backends and suggestion of using `assertLogs`.
2020-06-02 20:20:53 +02:00
backend.logger.warning("Social auth (%s) failed because user has no verified"
" emails associated with the account",
backend.auth_backend_name)
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
return_data["email_not_associated"] = True
return None
validated_email = chosen_email
social auth: Validate email in backends without get_verified_emails. If the social backend doesn't have get_verified_emails emails, and we simply grab kwargs["details"].get("email") for the email, we should still validate it is correct. Needed for SAML. This will get covered by tests in upcoming commits that add SAML support.
2019-09-28 01:51:36 +02:00
else:
try:
validate_email(kwargs["details"].get("email"))
except ValidationError:
return_data['invalid_email'] = True
return None
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
validated_email = kwargs["details"].get("email")
if not validated_email: # nocoverage
# This code path isn't used with GitHubAuthBackend, but may be relevant for other
# social auth backends.
return_data['invalid_email'] = True
return None
return_data["valid_attestation"] = True
return_data['validated_email'] = validated_email
user_profile = common_get_active_user(validated_email, realm, return_data)
social_auth: Construct fullname from first and last name if needed. Needed for SAML. This will get covered by tests in upcoming commits that add SAML support.
2019-09-28 01:49:58 +02:00
full_name = kwargs['details'].get('fullname')
auth: Restructure code handling no name data sent by auth backend. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2020-06-28 15:23:21 +02:00
first_name = kwargs['details'].get('first_name')
last_name = kwargs['details'].get('last_name')
if all(name is None for name in [full_name, first_name, last_name]) and backend.name != "apple":
docs: Correct “login” as a verb to “log in”. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-08-11 02:20:10 +02:00
# Apple authentication provides the user's name only the very first time a user tries to log in.
auth: Restructure code handling no name data sent by auth backend. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2020-06-28 15:23:21 +02:00
# So if the user aborts login or otherwise is doing this the second time,
# we won't have any name data. So, this case is handled with the code below
# setting full name to empty string.
# We need custom code here for any social auth backends
# that don't provide name details feature.
raise AssertionError("Social auth backend doesn't provide name")
social_auth: Construct fullname from first and last name if needed. Needed for SAML. This will get covered by tests in upcoming commits that add SAML support.
2019-09-28 01:49:58 +02:00
if full_name:
return_data["full_name"] = full_name
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
else:
requirements: Update social-auth-core to latest version. Uses git release as this version 3.4.0 is not released to pypi. This is required for removing some overriden functions of apple auth backend class AppleAuthBackend. With the update we also make following changes: * Fix full name being populated as "None None". c5c74f27dd that's included in update assigns first_name and last_name to None when no name is provided by apple. Due to this our code is filling return_data['full_name'] to 'None None'. This commit fixes it by making first and last name strings empty. * Remove decode_id_token override. Python social auth merged the PR we sent including the changes we made to decode_id_token function. So, now there is no necessity for the override. * Add _AUDIENCE setting in computed_settings.py. `decode_id_token` is dependent on this setting.
2020-06-24 15:28:47 +02:00
# Some authentications methods like Apple and SAML send
docs: Fix spelling errors caught by codespell. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-08-11 01:47:44 +02:00
# first name and last name as separate attributes. In that case
social_auth: Construct fullname from first and last name if needed. Needed for SAML. This will get covered by tests in upcoming commits that add SAML support.
2019-09-28 01:49:58 +02:00
# we construct the full name from them.
python: Pre-fix a few spots for better Black formatting. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-09-02 02:50:08 +02:00
# strip removes the unnecessary ' '
return_data["full_name"] = f"{first_name or ''} {last_name or ''}".strip()
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
return user_profile
github: Return '' when name is None.
2017-03-09 09:45:21 +01:00
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
@partial
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
def social_auth_associate_user(
backend: BaseAuth,
*args: Any,
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
**kwargs: Any) -> Union[HttpResponse, Dict[str, Any]]:
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
"""A simple wrapper function to reformat the return data from
social_associate_user_helper as a dictionary. The
python-social-auth infrastructure will then pass those values into
later stages of settings.SOCIAL_AUTH_PIPELINE, such as
social_auth_finish, as kwargs.
"""
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
partial_token = backend.strategy.request_data().get('partial_token')
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
return_data: Dict[str, Any] = {}
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
user_profile = social_associate_user_helper(
backend, return_data, *args, **kwargs)
python: Convert type checks to isinstance checks. Generated by autopep8 --aggressive, with the setup.cfg configuration from #14532. In general, an isinstance check may not be equivalent to a type check because it includes subtypes; however, that’s usually what you want. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:59:09 +02:00
if isinstance(user_profile, HttpResponse):
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
return user_profile
else:
return {'user_profile': user_profile,
'return_data': return_data,
'partial_token': partial_token,
'partial_backend_name': backend}
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
def social_auth_finish(backend: Any,
details: Dict[str, Any],
response: HttpResponse,
*args: Any,
auth: Fix return type annotations on social auth pipeline functions.
2020-02-13 14:10:57 +01:00
**kwargs: Any) -> Optional[HttpResponse]:
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
"""Given the determination in social_auth_associate_user for whether
the user should be authenticated, this takes care of actually
logging in the user (if appropriate) and redirecting the browser
to the appropriate next page depending on the situation. Read the
comments below as well as login_or_register_remote_user in
`zerver/views/auth.py` for the details on how that dispatch works.
"""
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
from zerver.views.auth import login_or_register_remote_user, redirect_and_log_into_subdomain
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
user_profile = kwargs['user_profile']
return_data = kwargs['return_data']
github: Refactor email extraction to use the full emails data set. It's possible to make GitHub social authentication support letting the user pick which of their verified email addresses to pick, using the python-social-auth pipeline feature. We need to add an additional screen to let the user pick, so we're not adding support for that now, but this at least migrates this to use the data set of all emails that have been verified as associated with the user's GitHub account (and we just assume the user wants their primary email). This also fixes the inability for very old GitHub accounts (where the `email` field in the details might be a string the user wanted on their GitHub profile page) to using GitHub auth to login. Fixes #9127.
2018-06-07 00:19:06 +02:00
no_verified_email = return_data.get("email_not_verified")
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
auth_backend_disabled = return_data.get('auth_backend_disabled')
inactive_user = return_data.get('inactive_user')
inactive_realm = return_data.get('inactive_realm')
invalid_realm = return_data.get('invalid_realm')
invalid_email = return_data.get('invalid_email')
auth_failed_reason = return_data.get("social_auth_failed_reason")
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
email_not_associated = return_data.get("email_not_associated")
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
if invalid_realm:
social_auth: Take user to find_account if invalid subdomain is given. This allows to also clean up some code that's not really useful.
2020-02-15 17:08:09 +01:00
# User has passed an invalid subdomain param - this shouldn't happen in the normal flow,
# unless the user manually edits the param. In any case, it's most appropriate to just take
# them to find_account, as there isn't even an appropriate subdomain to take them to the login
# form on.
return HttpResponseRedirect(reverse('zerver.views.registration.find_account'))
auth: Redirect deactivated users with error for social auth backend. Fixes #11937. Also extracts the error message for a deactivated account to `DEACTIVATED_ACCOUNT_ERROR`.
2019-04-12 06:24:58 +02:00
if inactive_user:
logging: Set up a different logger for each backend. Adds a top-level logger in `settings.LOGGING` `zulip.auth` with the default handlers `DEFAULT_ZULIP_HANDLERS` and an extra hanlder that writes to `/var/log/zulip/auth.log`. Each auth backend uses it's own logger, `self.logger` which is in form 'zulip.auth.<backend name>'. This way it's clear which auth backend generated the log and is easier to look for all authentication logs in one file. Besides the above mentioned changes, `name` attribute is added to `ZulipAuthMixin` so that these logging kind of calls wouldn't raise any issues when logging is tried in a class without `name` attribute. Also in the tests we use a new way to check if logger calls are made i.e. we use `assertLogs` to test if something is logged. Thanks to Mateusz Mandera for the idea of having a seperate logger for auth backends and suggestion of using `assertLogs`.
2020-06-02 20:20:53 +02:00
backend.logger.info("Failed login attempt for deactivated account: %s@%s",
return_data['inactive_user_id'], return_data['realm_string_id'])
auth: Redirect deactivated users with error for social auth backend. Fixes #11937. Also extracts the error message for a deactivated account to `DEACTIVATED_ACCOUNT_ERROR`.
2019-04-12 06:24:58 +02:00
return redirect_deactivated_user_to_login()
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
if auth_backend_disabled or inactive_realm or no_verified_email or email_not_associated:
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
# Redirect to login page. We can't send to registration
# workflow with these errors. We will redirect to login page.
return None
if invalid_email:
# In case of invalid email, we will end up on registration page.
# This seems better than redirecting to login page.
logging: Set up a different logger for each backend. Adds a top-level logger in `settings.LOGGING` `zulip.auth` with the default handlers `DEFAULT_ZULIP_HANDLERS` and an extra hanlder that writes to `/var/log/zulip/auth.log`. Each auth backend uses it's own logger, `self.logger` which is in form 'zulip.auth.<backend name>'. This way it's clear which auth backend generated the log and is easier to look for all authentication logs in one file. Besides the above mentioned changes, `name` attribute is added to `ZulipAuthMixin` so that these logging kind of calls wouldn't raise any issues when logging is tried in a class without `name` attribute. Also in the tests we use a new way to check if logger calls are made i.e. we use `assertLogs` to test if something is logged. Thanks to Mateusz Mandera for the idea of having a seperate logger for auth backends and suggestion of using `assertLogs`.
2020-06-02 20:20:53 +02:00
backend.logger.warning(
logging: Pass format arguments to logging. https://docs.python.org/3/howto/logging.html#optimization Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-05-02 08:44:14 +02:00
"%s got invalid email argument.", backend.auth_backend_name,
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
)
return None
Add GitHub authentication. Fixes: #1042
2016-07-20 13:33:27 +02:00
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
if auth_failed_reason:
logging: Set up a different logger for each backend. Adds a top-level logger in `settings.LOGGING` `zulip.auth` with the default handlers `DEFAULT_ZULIP_HANDLERS` and an extra hanlder that writes to `/var/log/zulip/auth.log`. Each auth backend uses it's own logger, `self.logger` which is in form 'zulip.auth.<backend name>'. This way it's clear which auth backend generated the log and is easier to look for all authentication logs in one file. Besides the above mentioned changes, `name` attribute is added to `ZulipAuthMixin` so that these logging kind of calls wouldn't raise any issues when logging is tried in a class without `name` attribute. Also in the tests we use a new way to check if logger calls are made i.e. we use `assertLogs` to test if something is logged. Thanks to Mateusz Mandera for the idea of having a seperate logger for auth backends and suggestion of using `assertLogs`.
2020-06-02 20:20:53 +02:00
backend.logger.info(auth_failed_reason)
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
return None
# Structurally, all the cases where we don't have an authenticated
# email for the user should be handled above; this assertion helps
# prevent any violations of that contract from resulting in a user
# being incorrectly authenticated.
assert return_data.get('valid_attestation') is True
backends: Clean up type ignores. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-08-10 00:30:35 +02:00
strategy = backend.strategy
register: Pre-populate Name in social backend flow. By adding some additional plumbing (through PreregistrationUser) of the full_name and an additional full_name_validated option, we pre-populate the Full Name field in the registration form when coming through a social backend (google/github/saml/etc.) and potentially skip the registration form (if the user would have nothing to do there other than clicking the Confirm button) and just create the account and log the user in.
2019-11-01 00:00:36 +01:00
full_name_validated = backend.full_name_validated
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
email_address = return_data['validated_email']
full_name = return_data['full_name']
redirect_to = strategy.session_get('next')
auth: Store realm id in return_data of social_associate_user_helper. Realm object is not json-serializable; store the realm id instead and retrieve the realm in social_auth_finish using `Realm.objects.get(id=return_data["realm_id"])`.
2018-07-10 12:29:06 +02:00
realm = Realm.objects.get(id=return_data["realm_id"])
auth2: Don't use session for passing multiuse invite key. For Google auth, the multiuse invite key should be stored in the csrf_state sent to google along with other values like is_signup, mobile_flow_otp. For social auth, the multiuse invite key should be passed as params to the social-auth backend. The passing of the key is handled by social_auth pipeline and made available to us when the auth is completed.
2019-02-08 17:09:25 +01:00
multiuse_object_key = strategy.session_get('multiuse_object_key', '')
auth: Ensure only one of mobile and desktop otps in validate_otp_params. validate_otp_params needs to be moved to backends.py, because as of this commit it'll be used both there and in views.auth - and import from views.auth to backends.py causes circular import issue.
2020-02-01 17:45:22 +01:00
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
mobile_flow_otp = strategy.session_get('mobile_flow_otp')
auth: Implement server side of desktop_flow_otp.
2020-01-23 14:22:28 +01:00
desktop_flow_otp = strategy.session_get('desktop_flow_otp')
auth: Ensure only one of mobile and desktop otps in validate_otp_params. validate_otp_params needs to be moved to backends.py, because as of this commit it'll be used both there and in views.auth - and import from views.auth to backends.py causes circular import issue.
2020-02-01 17:45:22 +01:00
validate_otp_params(mobile_flow_otp, desktop_flow_otp)
auth: Implement server side of desktop_flow_otp.
2020-01-23 14:22:28 +01:00
social_auth: Set is_signup=False if the user is already signed up. Because of how login_or_register_remote_user code is structured, this doesn't change how the flow will go, but it's not a clean use of login_or_register_remote_user to call it with is_signup=True if sign up shouldn't actually happen - and may be fragile when refactoring login_or_register_remote_user.
2020-01-17 18:57:13 +01:00
if user_profile is None or user_profile.is_mirror_dummy:
is_signup = strategy.session_get('is_signup') == '1'
else:
is_signup = False
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
# At this point, we have now confirmed that the user has
# demonstrated control over the target email address.
#
# The next step is to call login_or_register_remote_user, but
# there are two code paths here because of an optimization to save
auth: Implement server side of desktop_flow_otp.
2020-01-23 14:22:28 +01:00
# a redirect on mobile and desktop.
auth: Add ExternalAuthResult to manage data in authentication flows. This new type eliminates a bunch of messy code that previously involved passing around long lists of mixed positional keyword and arguments, instead using a consistent data object for communicating about the state of an external authentication (constructed in backends.py). The result is a significantly more readable interface between zproject/backends.py and zerver/views/auth.py, though likely more could be done. This has the side effect of renaming fields for internally passed structures from name->full_name, next->redirect_to; this results in most of the test codebase changes. Modified by tabbott to add comments and collaboratively rewrite the initialization logic.
2020-02-23 18:58:08 +01:00
data_dict = ExternalAuthDataDict(
subdomain=realm.subdomain,
is_signup=is_signup,
redirect_to=redirect_to,
multiuse_object_key=multiuse_object_key,
full_name_validated=full_name_validated,
mobile_flow_otp=mobile_flow_otp,
python: Use trailing commas consistently. Automatically generated by the following script, based on the output of lint with flake8-comma: import re import sys last_filename = None last_row = None lines = [] for msg in sys.stdin: m = re.match( r"\x1b\[35mflake8 \|\x1b\[0m \x1b\[1;31m(.+):(\d+):(\d+): (\w+)", msg ) if m: filename, row_str, col_str, err = m.groups() row, col = int(row_str), int(col_str) if filename == last_filename: assert last_row != row else: if last_filename is not None: with open(last_filename, "w") as f: f.writelines(lines) with open(filename) as f: lines = f.readlines() last_filename = filename last_row = row line = lines[row - 1] if err in ["C812", "C815"]: lines[row - 1] = line[: col - 1] + "," + line[col - 1 :] elif err in ["C819"]: assert line[col - 2] == "," lines[row - 1] = line[: col - 2] + line[col - 1 :].lstrip(" ") if last_filename is not None: with open(last_filename, "w") as f: f.writelines(lines) Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-10 05:23:40 +02:00
desktop_flow_otp=desktop_flow_otp,
auth: Add ExternalAuthResult to manage data in authentication flows. This new type eliminates a bunch of messy code that previously involved passing around long lists of mixed positional keyword and arguments, instead using a consistent data object for communicating about the state of an external authentication (constructed in backends.py). The result is a significantly more readable interface between zproject/backends.py and zerver/views/auth.py, though likely more could be done. This has the side effect of renaming fields for internally passed structures from name->full_name, next->redirect_to; this results in most of the test codebase changes. Modified by tabbott to add comments and collaboratively rewrite the initialization logic.
2020-02-23 18:58:08 +01:00
)
if user_profile is None:
data_dict.update(dict(full_name=full_name, email=email_address))
auth: Implement server side of desktop_flow_otp.
2020-01-23 14:22:28 +01:00
auth: Add ExternalAuthResult to manage data in authentication flows. This new type eliminates a bunch of messy code that previously involved passing around long lists of mixed positional keyword and arguments, instead using a consistent data object for communicating about the state of an external authentication (constructed in backends.py). The result is a significantly more readable interface between zproject/backends.py and zerver/views/auth.py, though likely more could be done. This has the side effect of renaming fields for internally passed structures from name->full_name, next->redirect_to; this results in most of the test codebase changes. Modified by tabbott to add comments and collaboratively rewrite the initialization logic.
2020-02-23 18:58:08 +01:00
result = ExternalAuthResult(user_profile=user_profile, data_dict=data_dict)
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
auth: Add ExternalAuthResult to manage data in authentication flows. This new type eliminates a bunch of messy code that previously involved passing around long lists of mixed positional keyword and arguments, instead using a consistent data object for communicating about the state of an external authentication (constructed in backends.py). The result is a significantly more readable interface between zproject/backends.py and zerver/views/auth.py, though likely more could be done. This has the side effect of renaming fields for internally passed structures from name->full_name, next->redirect_to; this results in most of the test codebase changes. Modified by tabbott to add comments and collaboratively rewrite the initialization logic.
2020-02-23 18:58:08 +01:00
if mobile_flow_otp or desktop_flow_otp:
registration: Add support for mobile and desktop flows. This makes it possible to create a Zulip account from the mobile or desktop apps and have the end result be that the user is logged in on their mobile device. We may need small changes in the desktop and/or mobile apps to support this. Closes #10859.
2020-02-06 18:27:10 +01:00
if user_profile is not None and not user_profile.is_mirror_dummy:
# For mobile and desktop app authentication, login_or_register_remote_user
# will redirect to a special zulip:// URL that is handled by
# the app after a successful authentication; so we can
# redirect directly from here, saving a round trip over what
# we need to do to create session cookies on the right domain
# in the web login flow (below).
auth: Add ExternalAuthResult to manage data in authentication flows. This new type eliminates a bunch of messy code that previously involved passing around long lists of mixed positional keyword and arguments, instead using a consistent data object for communicating about the state of an external authentication (constructed in backends.py). The result is a significantly more readable interface between zproject/backends.py and zerver/views/auth.py, though likely more could be done. This has the side effect of renaming fields for internally passed structures from name->full_name, next->redirect_to; this results in most of the test codebase changes. Modified by tabbott to add comments and collaboratively rewrite the initialization logic.
2020-02-23 18:58:08 +01:00
return login_or_register_remote_user(strategy.request, result)
registration: Add support for mobile and desktop flows. This makes it possible to create a Zulip account from the mobile or desktop apps and have the end result be that the user is logged in on their mobile device. We may need small changes in the desktop and/or mobile apps to support this. Closes #10859.
2020-02-06 18:27:10 +01:00
else:
# The user needs to register, so we need to go the realm's
# subdomain for that.
pass
auth: Add detailed comments for auth subsystem. Now that we've more or less stabilized our authentication/registration subsystem how we want it, it seems worth adding proper documentation for this. Fixes #7619.
2019-03-10 02:43:29 +01:00
# If this authentication code were executing on
# subdomain.zulip.example.com, we would just call
# login_or_register_remote_user as in the mobile code path.
# However, because third-party SSO providers generally don't allow
# wildcard addresses in their redirect URLs, for multi-realm
# servers, we will have just completed authentication on e.g.
# auth.zulip.example.com (depending on
# settings.SOCIAL_AUTH_SUBDOMAIN), which cannot store cookies on
# the subdomain.zulip.example.com domain. So instead we serve a
# redirect (encoding the authentication result data in a
# cryptographically signed token) to a route on
# subdomain.zulip.example.com that will verify the signature and
# then call login_or_register_remote_user.
auth: Add ExternalAuthResult to manage data in authentication flows. This new type eliminates a bunch of messy code that previously involved passing around long lists of mixed positional keyword and arguments, instead using a consistent data object for communicating about the state of an external authentication (constructed in backends.py). The result is a significantly more readable interface between zproject/backends.py and zerver/views/auth.py, though likely more could be done. This has the side effect of renaming fields for internally passed structures from name->full_name, next->redirect_to; this results in most of the test codebase changes. Modified by tabbott to add comments and collaboratively rewrite the initialization logic.
2020-02-23 18:58:08 +01:00
return redirect_and_log_into_subdomain(result)
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
backends: Fix a type: ignore issue. I checked that this does not interfere with the MRO of the auth backends: In [1]: import zproject.backends; zproject.backends.GitHubAuthBackend.__mro__ Out[1]: (zproject.backends.GitHubAuthBackend, zproject.backends.SocialAuthMixin, zproject.backends.ZulipAuthMixin, zproject.backends.ExternalAuthMethod, abc.ABC, social_core.backends.github.GithubOAuth2, social_core.backends.oauth.BaseOAuth2, social_core.backends.oauth.OAuthAuth, social_core.backends.base.BaseAuth, object) Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-23 22:36:55 +02:00
class SocialAuthMixin(ZulipAuthMixin, ExternalAuthMethod, BaseAuth):
register: Pre-populate Name in social backend flow. By adding some additional plumbing (through PreregistrationUser) of the full_name and an additional full_name_validated option, we pre-populate the Full Name field in the registration form when coming through a social backend (google/github/saml/etc.) and potentially skip the registration form (if the user would have nothing to do there other than clicking the Confirm button) and just create the account and log the user in.
2019-11-01 00:00:36 +01:00
# Whether we expect that the full_name value obtained by the
# social backend is definitely how the user should be referred to
# in Zulip, which in turn determines whether we should always show
# a registration form in the event with a default value of the
# user's name when using this social backend so they can change
# it. For social backends like SAML that are expected to be a
# central database, this should be True; for backends like GitHub
# where the user might not have a name set or have it set to
# something other than the name they will prefer to use in Zulip,
# it should be False.
full_name_validated = False
python: Replace list literal concatenation with * unpacking. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-09-02 06:59:07 +02:00
standard_relay_params = [*settings.SOCIAL_AUTH_FIELDS_STORED_IN_SESSION, 'next']
auth: Move `standard_relay_params` of SAMLAuthBackend to `SocialAuthMixin`. Earlier this `standard_relay_params` was used only for SAML auth, now "Sign in with Apple" also requires this to store those params in session for reuse. So, this acts as a prep commit for "Sign in with Apple" auth support.
2020-05-16 17:09:08 +02:00
auth: Restore a minimal SocialAuthMixin. We need to do a small monkey-patching of python-social-auth to ensure that it doesn't 500 the request when a user does something funny in their browser (e.g. using the back button in the auth flow) that is fundamentally a user error, not a server error. This was present in the pre-rewrite version of our Social auth codebase, without clear documentation; I've fixed the explanation part here. It's perhaps worth investigating with the core social auth team whether there's a better way to do this.
2018-07-03 18:47:20 +02:00
def auth_complete(self, *args: Any, **kwargs: Any) -> Optional[HttpResponse]:
"""This is a small wrapper around the core `auth_complete` method of
python-social-auth, designed primarily to prevent 500s for
exceptions in the social auth code from situations that are
really user errors. Returning `None` from this function will
redirect the browser to the login page.
"""
try:
# Call the auth_complete method of social_core.backends.oauth.BaseOAuth2
backends: Fix a type: ignore issue. I checked that this does not interfere with the MRO of the auth backends: In [1]: import zproject.backends; zproject.backends.GitHubAuthBackend.__mro__ Out[1]: (zproject.backends.GitHubAuthBackend, zproject.backends.SocialAuthMixin, zproject.backends.ZulipAuthMixin, zproject.backends.ExternalAuthMethod, abc.ABC, social_core.backends.github.GithubOAuth2, social_core.backends.oauth.BaseOAuth2, social_core.backends.oauth.OAuthAuth, social_core.backends.base.BaseAuth, object) Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-23 22:36:55 +02:00
return super().auth_complete(*args, **kwargs)
auth: Gracefully handle bad http responses from IdP in social auth. If the IdP authentication API is flaky for some reason, it can return bad http responses, which will raise HTTPError inside python-social-auth. We don't want to generate a traceback in those cases, but simply log the exception and fail gracefully.
2020-05-20 14:52:03 +02:00
except (AuthFailed, HTTPError) as e:
auth: Restore a minimal SocialAuthMixin. We need to do a small monkey-patching of python-social-auth to ensure that it doesn't 500 the request when a user does something funny in their browser (e.g. using the back button in the auth flow) that is fundamentally a user error, not a server error. This was present in the pre-rewrite version of our Social auth codebase, without clear documentation; I've fixed the explanation part here. It's perhaps worth investigating with the core social auth team whether there's a better way to do this.
2018-07-03 18:47:20 +02:00
# When a user's social authentication fails (e.g. because
# they did something funny with reloading in the middle of
auth: Gracefully handle bad http responses from IdP in social auth. If the IdP authentication API is flaky for some reason, it can return bad http responses, which will raise HTTPError inside python-social-auth. We don't want to generate a traceback in those cases, but simply log the exception and fail gracefully.
2020-05-20 14:52:03 +02:00
# the flow or the IdP is unreliable and returns a bad http response),
# don't throw a 500, just send them back to the
auth: Restore a minimal SocialAuthMixin. We need to do a small monkey-patching of python-social-auth to ensure that it doesn't 500 the request when a user does something funny in their browser (e.g. using the back button in the auth flow) that is fundamentally a user error, not a server error. This was present in the pre-rewrite version of our Social auth codebase, without clear documentation; I've fixed the explanation part here. It's perhaps worth investigating with the core social auth team whether there's a better way to do this.
2018-07-03 18:47:20 +02:00
# login page and record the event at the info log level.
logging: Use logging.exception and exc_info for unexpected exceptions. logging.exception() and logging.debug(exc_info=True), etc. automatically include a traceback. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-12 01:35:37 +02:00
self.logger.info("%s: %s", e.__class__.__name__, str(e))
auth: Restore a minimal SocialAuthMixin. We need to do a small monkey-patching of python-social-auth to ensure that it doesn't 500 the request when a user does something funny in their browser (e.g. using the back button in the auth flow) that is fundamentally a user error, not a server error. This was present in the pre-rewrite version of our Social auth codebase, without clear documentation; I've fixed the explanation part here. It's perhaps worth investigating with the core social auth team whether there's a better way to do this.
2018-07-03 18:47:20 +02:00
return None
except SocialAuthBaseException as e:
# Other python-social-auth exceptions are likely
# interesting enough that we should log a warning.
logging: Set up a different logger for each backend. Adds a top-level logger in `settings.LOGGING` `zulip.auth` with the default handlers `DEFAULT_ZULIP_HANDLERS` and an extra hanlder that writes to `/var/log/zulip/auth.log`. Each auth backend uses it's own logger, `self.logger` which is in form 'zulip.auth.<backend name>'. This way it's clear which auth backend generated the log and is easier to look for all authentication logs in one file. Besides the above mentioned changes, `name` attribute is added to `ZulipAuthMixin` so that these logging kind of calls wouldn't raise any issues when logging is tried in a class without `name` attribute. Also in the tests we use a new way to check if logger calls are made i.e. we use `assertLogs` to test if something is logged. Thanks to Mateusz Mandera for the idea of having a seperate logger for auth backends and suggestion of using `assertLogs`.
2020-06-02 20:20:53 +02:00
self.logger.warning(str(e))
auth: Restore a minimal SocialAuthMixin. We need to do a small monkey-patching of python-social-auth to ensure that it doesn't 500 the request when a user does something funny in their browser (e.g. using the back button in the auth flow) that is fundamentally a user error, not a server error. This was present in the pre-rewrite version of our Social auth codebase, without clear documentation; I've fixed the explanation part here. It's perhaps worth investigating with the core social auth team whether there's a better way to do this.
2018-07-03 18:47:20 +02:00
return None
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
@classmethod
saml: Implement limiting of IdP to specified realms. Through the limit_to_subdomains setting on IdP dicts it's now possible to limit the IdP to only allow authenticating to the specified realms. Fixes #13340.
2020-04-10 16:30:02 +02:00
def dict_representation(cls, realm: Optional[Realm]=None) -> List[ExternalAuthMethodDictT]:
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
return [dict(
name=cls.name,
display_name=cls.auth_backend_name,
display_icon=cls.display_icon,
login_url=reverse('login-social', args=(cls.name,)),
signup_url=reverse('signup-social', args=(cls.name,)),
)]
@external_auth_method
auth: Restore a minimal SocialAuthMixin. We need to do a small monkey-patching of python-social-auth to ensure that it doesn't 500 the request when a user does something funny in their browser (e.g. using the back button in the auth flow) that is fundamentally a user error, not a server error. This was present in the pre-rewrite version of our Social auth codebase, without clear documentation; I've fixed the explanation part here. It's perhaps worth investigating with the core social auth team whether there's a better way to do this.
2018-07-03 18:47:20 +02:00
class GitHubAuthBackend(SocialAuthMixin, GithubOAuth2):
auth: Refactor social login rendering. login_context now gets the social_backends list through get_social_backend_dicts and we move display_logo customization to backend class definition. This prepares for easily adding multiple IdP support in SAML authentication - there will be a social_backend dict for each configured IdP, also allowing display_name and icon customization per IdP.
2019-10-22 18:11:28 +02:00
name = "github"
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
auth_backend_name = "GitHub"
auth: Reverse the `sort_order` parameter's semantics. This will make sure that if a backend doesn't specify a values for `sort_order` parameter then it will sorted to the bottom not at the top.
2019-03-10 09:38:20 +01:00
sort_order = 100
social_backends: Rename display_logo to display_icon.
2019-11-04 00:08:29 +01:00
display_icon = "/static/images/landing-page/logos/github-icon.png"
github: Return '' when name is None.
2017-03-09 09:45:21 +01:00
auth: Separate code to get all emails from `get_verified_emails`. This separates the part of code that gets all the emails associated to GitHub from `get_verified_emails` in `GitHubAuthBackend`. Improves readability of code and acts as a preparatory commit for extending the template for "choose email" in GitHub auth flow to also list any unverified emails that have an associated Zulip account in the organization.
2020-03-28 10:59:06 +01:00
def get_all_associated_email_objects(self, *args: Any, **kwargs: Any) -> List[Dict[str, Any]]:
github: Refactor email extraction to use the full emails data set. It's possible to make GitHub social authentication support letting the user pick which of their verified email addresses to pick, using the python-social-auth pipeline feature. We need to add an additional screen to let the user pick, so we're not adding support for that now, but this at least migrates this to use the data set of all emails that have been verified as associated with the user's GitHub account (and we just assume the user wants their primary email). This also fixes the inability for very old GitHub accounts (where the `email` field in the details might be a string the user wanted on their GitHub profile page) to using GitHub auth to login. Fixes #9127.
2018-06-07 00:19:06 +02:00
access_token = kwargs["response"]["access_token"]
try:
emails = self._user_data(access_token, '/emails')
except (HTTPError, ValueError, TypeError): # nocoverage
# We don't really need an explicit test for this code
# path, since the outcome will be the same as any other
# case without any verified emails
emails = []
auth: Separate code to get all emails from `get_verified_emails`. This separates the part of code that gets all the emails associated to GitHub from `get_verified_emails` in `GitHubAuthBackend`. Improves readability of code and acts as a preparatory commit for extending the template for "choose email" in GitHub auth flow to also list any unverified emails that have an associated Zulip account in the organization.
2020-03-28 10:59:06 +01:00
return emails
github: Refactor email extraction to use the full emails data set. It's possible to make GitHub social authentication support letting the user pick which of their verified email addresses to pick, using the python-social-auth pipeline feature. We need to add an additional screen to let the user pick, so we're not adding support for that now, but this at least migrates this to use the data set of all emails that have been verified as associated with the user's GitHub account (and we just assume the user wants their primary email). This also fixes the inability for very old GitHub accounts (where the `email` field in the details might be a string the user wanted on their GitHub profile page) to using GitHub auth to login. Fixes #9127.
2018-06-07 00:19:06 +02:00
auth: Allow signing in to an existing account with noreply github email. In particular importing gitter data leads to having accounts with these noreply github emails. We generally only want users to have emails that we can actually send messages to, so we'll keep the old behavior of disallowing sign up with such an email address. However, if an account of this type already exists, we should allow the user to have access to it.
2020-07-22 18:31:56 +02:00
def get_unverified_emails(self, realm: Realm, *args: Any, **kwargs: Any) -> List[str]:
auth: Extend the template for "choose email" in GitHub auth flow. This commit extends the template for "choose email" to mention for users who have unverified emails that they need to verify them before using them for Zulip authentication. Also modified `social_auth_test_finish` to assert if all emails are present in "choose email" screen as we need unverified emails to be shown to user and verified emails to login/signup. Fixes #12638 as this was the last task for that issue.
2020-03-28 10:59:06 +01:00
return [
auth: Allow signing in to an existing account with noreply github email. In particular importing gitter data leads to having accounts with these noreply github emails. We generally only want users to have emails that we can actually send messages to, so we'll keep the old behavior of disallowing sign up with such an email address. However, if an account of this type already exists, we should allow the user to have access to it.
2020-07-22 18:31:56 +02:00
email_obj['email'] for email_obj in self.get_usable_email_objects(realm, *args, **kwargs)
auth: Modify `filter_usable_emails` to only exclude noreply github emails. Instead of having to filter `@noreply.github.com` emails in `get_unverified_emails`, it's good to make `filter_usable_emails` just filter `@noreply.github.com` and handle verified/unverified part in their respective functions because of `@noreply.github.com` exception being a fiddly special-case detail. Also renamed `filter_usable_emails` to `get_usable_email_objects` as a line that gets all associated github emails is removed in `get_verified_emails` and `get_unverified_emails` and added to `filter_usable_emails`. The name `filter_usable_emails` suggests that it just filters given emails, whereas here it's getting all associated email objects and returning usable emails.
2020-04-03 20:01:03 +02:00
if not email_obj.get('verified')
auth: Extend the template for "choose email" in GitHub auth flow. This commit extends the template for "choose email" to mention for users who have unverified emails that they need to verify them before using them for Zulip authentication. Also modified `social_auth_test_finish` to assert if all emails are present in "choose email" screen as we need unverified emails to be shown to user and verified emails to login/signup. Fixes #12638 as this was the last task for that issue.
2020-03-28 10:59:06 +01:00
]
auth: Allow signing in to an existing account with noreply github email. In particular importing gitter data leads to having accounts with these noreply github emails. We generally only want users to have emails that we can actually send messages to, so we'll keep the old behavior of disallowing sign up with such an email address. However, if an account of this type already exists, we should allow the user to have access to it.
2020-07-22 18:31:56 +02:00
def get_verified_emails(self, realm: Realm, *args: Any, **kwargs: Any) -> List[str]:
auth: Modify `filter_usable_emails` to only exclude noreply github emails. Instead of having to filter `@noreply.github.com` emails in `get_unverified_emails`, it's good to make `filter_usable_emails` just filter `@noreply.github.com` and handle verified/unverified part in their respective functions because of `@noreply.github.com` exception being a fiddly special-case detail. Also renamed `filter_usable_emails` to `get_usable_email_objects` as a line that gets all associated github emails is removed in `get_verified_emails` and `get_unverified_emails` and added to `filter_usable_emails`. The name `filter_usable_emails` suggests that it just filters given emails, whereas here it's getting all associated email objects and returning usable emails.
2020-04-03 20:01:03 +02:00
# We only let users login using email addresses that are
# verified by GitHub, because the whole point is for the user
# to demonstrate that they control the target email address.
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
verified_emails: List[str] = []
auth: Allow signing in to an existing account with noreply github email. In particular importing gitter data leads to having accounts with these noreply github emails. We generally only want users to have emails that we can actually send messages to, so we'll keep the old behavior of disallowing sign up with such an email address. However, if an account of this type already exists, we should allow the user to have access to it.
2020-07-22 18:31:56 +02:00
for email_obj in [obj for obj in self.get_usable_email_objects(realm, *args, **kwargs)
auth: Modify `filter_usable_emails` to only exclude noreply github emails. Instead of having to filter `@noreply.github.com` emails in `get_unverified_emails`, it's good to make `filter_usable_emails` just filter `@noreply.github.com` and handle verified/unverified part in their respective functions because of `@noreply.github.com` exception being a fiddly special-case detail. Also renamed `filter_usable_emails` to `get_usable_email_objects` as a line that gets all associated github emails is removed in `get_verified_emails` and `get_unverified_emails` and added to `filter_usable_emails`. The name `filter_usable_emails` suggests that it just filters given emails, whereas here it's getting all associated email objects and returning usable emails.
2020-04-03 20:01:03 +02:00
if obj.get('verified')]:
auth: GitHubAuthBackend.get_verified_emails returns user's all emails. The email_list returned has the primary email as the first element. Testing: The order of the emails in the test was changed to put a verified email before the primary one. The tests would fail without this commit's change after the changes in the order of test emails.
2018-07-10 12:03:42 +02:00
# social_associate_user_helper assumes that the first email in
# verified_emails is primary.
if email_obj.get("primary"):
verified_emails.insert(0, email_obj["email"])
else:
verified_emails.append(email_obj["email"])
github: Refactor email extraction to use the full emails data set. It's possible to make GitHub social authentication support letting the user pick which of their verified email addresses to pick, using the python-social-auth pipeline feature. We need to add an additional screen to let the user pick, so we're not adding support for that now, but this at least migrates this to use the data set of all emails that have been verified as associated with the user's GitHub account (and we just assume the user wants their primary email). This also fixes the inability for very old GitHub accounts (where the `email` field in the details might be a string the user wanted on their GitHub profile page) to using GitHub auth to login. Fixes #9127.
2018-06-07 00:19:06 +02:00
return verified_emails
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
auth: Allow signing in to an existing account with noreply github email. In particular importing gitter data leads to having accounts with these noreply github emails. We generally only want users to have emails that we can actually send messages to, so we'll keep the old behavior of disallowing sign up with such an email address. However, if an account of this type already exists, we should allow the user to have access to it.
2020-07-22 18:31:56 +02:00
def get_usable_email_objects(self, realm: Realm, *args: Any, **kwargs: Any) -> List[Dict[str, Any]]:
# We disallow creation of new accounts with
auth: Remove `@users.noreply.github.com` from the email selection list. Apparently GitHub changed the email address for these; we need to update our code accordingly. One cannot receive emails on the username@users.noreply.github.com, so if someone tries creating an account with this email address, that person would not be able to verify the account.
2019-08-05 15:15:56 +02:00
# @noreply.github.com/@users.noreply.github.com email
# addresses, because structurally, we only want to allow email
help: Improve documentation for Gitter import.
2020-07-23 01:08:42 +02:00
# addresses that can receive emails, and those cannot.
# However, if an account with this address already exists in
# the realm (which could happen e.g. as a result of data
# import from another chat tool), we will allow signing in to
# it.
auth: Modify `filter_usable_emails` to only exclude noreply github emails. Instead of having to filter `@noreply.github.com` emails in `get_unverified_emails`, it's good to make `filter_usable_emails` just filter `@noreply.github.com` and handle verified/unverified part in their respective functions because of `@noreply.github.com` exception being a fiddly special-case detail. Also renamed `filter_usable_emails` to `get_usable_email_objects` as a line that gets all associated github emails is removed in `get_verified_emails` and `get_unverified_emails` and added to `filter_usable_emails`. The name `filter_usable_emails` suggests that it just filters given emails, whereas here it's getting all associated email objects and returning usable emails.
2020-04-03 20:01:03 +02:00
email_objs = self.get_all_associated_email_objects(*args, **kwargs)
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
return [
auth: Modify `filter_usable_emails` to only exclude noreply github emails. Instead of having to filter `@noreply.github.com` emails in `get_unverified_emails`, it's good to make `filter_usable_emails` just filter `@noreply.github.com` and handle verified/unverified part in their respective functions because of `@noreply.github.com` exception being a fiddly special-case detail. Also renamed `filter_usable_emails` to `get_usable_email_objects` as a line that gets all associated github emails is removed in `get_verified_emails` and `get_unverified_emails` and added to `filter_usable_emails`. The name `filter_usable_emails` suggests that it just filters given emails, whereas here it's getting all associated email objects and returning usable emails.
2020-04-03 20:01:03 +02:00
email for email in email_objs
auth: Allow signing in to an existing account with noreply github email. In particular importing gitter data leads to having accounts with these noreply github emails. We generally only want users to have emails that we can actually send messages to, so we'll keep the old behavior of disallowing sign up with such an email address. However, if an account of this type already exists, we should allow the user to have access to it.
2020-07-22 18:31:56 +02:00
if (not email["email"].endswith("@users.noreply.github.com")
or common_get_active_user(email["email"], realm) is not None)
auth: Let user choose emails in GitHub auth. Previously, our Github authentication backend just used the user's primary email address associated with GitHub, which was a reasonable default, but quite annoying for users who have several email addresses associated with their GitHub account. We fix this, by adding a new screen where users can select which of their (verified) GitHub email addresses to use for authentication. This is implemented using the "partial" feature of the python-social-auth pipeline system. Each email is displayed as a button. Clicking on that button chooses the email. The email value is stored in a hidden input above the button. The `primary_email` is displayed on top followed by `verified_non_primary_emails`. Backend name is also passed as `backend` to the template, which in our case is GitHub. Fixes #9876.
2018-07-18 23:45:49 +02:00
]
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
def user_data(self, access_token: str, *args: Any, **kwargs: Any) -> Dict[str, str]:
"""This patched user_data function lets us combine together the 3
capitalization: Fix OAuth capitalization. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-11-28 01:17:30 +01:00
social auth backends into a single Zulip backend for GitHub OAuth2"""
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
team_id = settings.SOCIAL_AUTH_GITHUB_TEAM_ID
org_name = settings.SOCIAL_AUTH_GITHUB_ORG_NAME
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
if team_id is None and org_name is None:
# I believe this can't raise AuthFailed, so we don't try to catch it here.
return super().user_data(
python: Use trailing commas consistently. Automatically generated by the following script, based on the output of lint with flake8-comma: import re import sys last_filename = None last_row = None lines = [] for msg in sys.stdin: m = re.match( r"\x1b\[35mflake8 \|\x1b\[0m \x1b\[1;31m(.+):(\d+):(\d+): (\w+)", msg ) if m: filename, row_str, col_str, err = m.groups() row, col = int(row_str), int(col_str) if filename == last_filename: assert last_row != row else: if last_filename is not None: with open(last_filename, "w") as f: f.writelines(lines) with open(filename) as f: lines = f.readlines() last_filename = filename last_row = row line = lines[row - 1] if err in ["C812", "C815"]: lines[row - 1] = line[: col - 1] + "," + line[col - 1 :] elif err in ["C819"]: assert line[col - 2] == "," lines[row - 1] = line[: col - 2] + line[col - 1 :].lstrip(" ") if last_filename is not None: with open(last_filename, "w") as f: f.writelines(lines) Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-10 05:23:40 +02:00
access_token, *args, **kwargs,
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
)
elif team_id is not None:
requirements: Bump python-social-auth version. We had a bunch of ugly hacks to monkey patch things due to upstream being temporarily unmaintained and not merging PRs. Now the project is active again and the fixes have been merged and included in the latest version - so we clean up all that code.
2020-03-18 13:35:23 +01:00
backend = GithubTeamOAuth2(self.strategy, self.redirect_uri)
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
try:
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
return backend.user_data(access_token, *args, **kwargs)
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
except AuthFailed:
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
return dict(auth_failed_reason="GitHub user is not member of required team")
elif org_name is not None:
requirements: Bump python-social-auth version. We had a bunch of ugly hacks to monkey patch things due to upstream being temporarily unmaintained and not merging PRs. Now the project is active again and the fixes have been merged and included in the latest version - so we clean up all that code.
2020-03-18 13:35:23 +01:00
backend = GithubOrganizationOAuth2(self.strategy, self.redirect_uri)
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
try:
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
return backend.user_data(access_token, *args, **kwargs)
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
except AuthFailed:
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
return dict(auth_failed_reason="GitHub user is not member of required organization")
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
auth: Rewrite our social auth integration to use pipeline. This new implementation model is a lot cleaner and should extend better to the non-oauth backend supported by python-social-auth (since we're not relying on monkey-patching `do_auth` in the OAuth backend base class).
2018-05-31 00:12:39 +02:00
raise AssertionError("Invalid configuration")
auth: Refactor auth backend enabled checking code.
2016-11-06 23:44:45 +01:00
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
@external_auth_method
auth: Add support for Azure Active Directory authentication. This takes advantage of all of our work on making the python-social-auth integration reusable for other authentication backends.
2018-10-05 14:32:02 +02:00
class AzureADAuthBackend(SocialAuthMixin, AzureADOAuth2):
auth: Reverse the `sort_order` parameter's semantics. This will make sure that if a backend doesn't specify a values for `sort_order` parameter then it will sorted to the bottom not at the top.
2019-03-10 09:38:20 +01:00
sort_order = 50
auth: Refactor social login rendering. login_context now gets the social_backends list through get_social_backend_dicts and we move display_logo customization to backend class definition. This prepares for easily adding multiple IdP support in SAML authentication - there will be a social_backend dict for each configured IdP, also allowing display_name and icon customization per IdP.
2019-10-22 18:11:28 +02:00
name = "azuread-oauth2"
auth: Add support for Azure Active Directory authentication. This takes advantage of all of our work on making the python-social-auth integration reusable for other authentication backends.
2018-10-05 14:32:02 +02:00
auth_backend_name = "AzureAD"
social_backends: Rename display_logo to display_icon.
2019-11-04 00:08:29 +01:00
display_icon = "/static/images/landing-page/logos/azuread-icon.png"
auth: Add support for Azure Active Directory authentication. This takes advantage of all of our work on making the python-social-auth integration reusable for other authentication backends.
2018-10-05 14:32:02 +02:00
auth: Add support for GitLab authentication. With some tweaks by tabbott to the documentation and comments. Fixes #13694.
2020-01-31 18:19:53 +01:00
@external_auth_method
class GitLabAuthBackend(SocialAuthMixin, GitLabOAuth2):
sort_order = 75
name = "gitlab"
auth_backend_name = "GitLab"
display_icon = "/static/images/landing-page/logos/gitlab-icon.png"
# Note: GitLab as of early 2020 supports having multiple email
# addresses connected with a GitLab account, and we could access
# those emails, but its APIs don't indicate which of those email
# addresses were verified, so we cannot use them for
# authentication like we do for the GitHub integration. Instead,
# we just use the primary email address, which is always verified.
# (No code is required to do so, as that's the default behavior).
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
@external_auth_method
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
class GoogleAuthBackend(SocialAuthMixin, GoogleOAuth2):
sort_order = 150
auth_backend_name = "Google"
name = "google"
social_backends: Rename display_logo to display_icon.
2019-11-04 00:08:29 +01:00
display_icon = "/static/images/landing-page/logos/googl_e-icon.png"
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
def get_verified_emails(self, *args: Any, **kwargs: Any) -> List[str]:
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
verified_emails: List[str] = []
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
details = kwargs["response"]
email_verified = details.get("email_verified")
if email_verified:
verified_emails.append(details["email"])
return verified_emails
auth: Add Sign in with Apple support. This implementation overrides some of PSA's internal backend functions to handle `state` value with redis as the standard way doesn't work because of apple sending required details in the form of POST request. Includes a mixin test class that'll be useful for testing Native auth flow. Thanks to Mateusz Mandera for the idea of using redis and other important work on this. Documentation rewritten by tabbott. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2020-06-09 12:04:21 +02:00
@external_auth_method
class AppleAuthBackend(SocialAuthMixin, AppleIdAuth):
"""
Authentication backend for "Sign in with Apple". This supports two flows:
1. The web flow, usable in a browser, like our other social auth methods.
It is a slightly modified Oauth2 authorization flow, where the response
returning the access_token also contains a JWT id_token containing the user's
identity, signed with Apple's private keys.
https://developer.apple.com/documentation/sign_in_with_apple/tokenresponse
2. The native flow, intended for users on an Apple device. In the native flow,
the device handles authentication of the user with Apple's servers and ends up
with the JWT id_token (like in the web flow). The client-side details aren't
auth: Add native flow support for Apple authentication. Overrides some of internal functions of python-social-auth to handle native flow. Credits to Mateusz Mandera for the overridden functions. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2020-06-09 18:17:32 +02:00
relevant to us; the app should simply send the id_token as a param to the
/complete/apple/ endpoint, together with native_flow=true and any other
appropriate params, such as mobile_flow_otp.
auth: Add Sign in with Apple support. This implementation overrides some of PSA's internal backend functions to handle `state` value with redis as the standard way doesn't work because of apple sending required details in the form of POST request. Includes a mixin test class that'll be useful for testing Native auth flow. Thanks to Mateusz Mandera for the idea of using redis and other important work on this. Documentation rewritten by tabbott. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2020-06-09 12:04:21 +02:00
"""
sort_order = 10
name = "apple"
auth_backend_name = "Apple"
auth: Make apple log in and sign up buttons consistent with others.
2020-06-18 21:01:37 +02:00
display_icon = "/static/images/landing-page/logos/apple-icon.png"
auth: Add Sign in with Apple support. This implementation overrides some of PSA's internal backend functions to handle `state` value with redis as the standard way doesn't work because of apple sending required details in the form of POST request. Includes a mixin test class that'll be useful for testing Native auth flow. Thanks to Mateusz Mandera for the idea of using redis and other important work on this. Documentation rewritten by tabbott. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2020-06-09 12:04:21 +02:00
# Apple only sends `name` in its response the first time a user
# tries to sign up, so we won't have it in consecutive attempts.
# But if Apple does send us the user's name, it will be validated,
# so it's appropriate to set full_name_validated here.
full_name_validated = True
REDIS_EXPIRATION_SECONDS = 60*10
auth: Fix incorrect encoding of whitespace in scope in Apple backend.
2020-06-25 21:35:49 +02:00
SCOPE_SEPARATOR = "%20" # https://github.com/python-social-auth/social-core/issues/470
auth: Add check_config for apple auth. Apple has some other obligatory settings other than key and secret. To handle that this commit adds a function check_config() similar to that of SAML.
2020-07-04 19:09:01 +02:00
@classmethod
def check_config(cls) -> Optional[HttpResponse]:
obligatory_apple_settings_list = [
settings.SOCIAL_AUTH_APPLE_TEAM,
settings.SOCIAL_AUTH_APPLE_SERVICES_ID,
settings.SOCIAL_AUTH_APPLE_KEY,
settings.SOCIAL_AUTH_APPLE_SECRET,
]
if any(not setting for setting in obligatory_apple_settings_list):
return redirect_to_config_error("apple")
return None
auth: Add native flow support for Apple authentication. Overrides some of internal functions of python-social-auth to handle native flow. Credits to Mateusz Mandera for the overridden functions. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2020-06-09 18:17:32 +02:00
def is_native_flow(self) -> bool:
return self.strategy.request_data().get('native_flow', False)
auth: Add Sign in with Apple support. This implementation overrides some of PSA's internal backend functions to handle `state` value with redis as the standard way doesn't work because of apple sending required details in the form of POST request. Includes a mixin test class that'll be useful for testing Native auth flow. Thanks to Mateusz Mandera for the idea of using redis and other important work on this. Documentation rewritten by tabbott. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2020-06-09 12:04:21 +02:00
# This method replaces a method from python-social-auth; it is adapted to store
# the state_token data in redis.
def get_or_create_state(self) -> str:
'''Creates the Oauth2 state parameter in first step of the flow,
before redirecting the user to the IdP (aka Apple).
Apple will send the user back to us with a POST
request. Normally, we rely on being able to store certain
parameters in the user's session and use them after the
redirect. But because we've configured our session cookies to
use the Django default of in SameSite Lax mode, the browser
won't send the session cookies to our server in delivering the
POST request coming from Apple.
To work around this, we replace python-social-auth's default
session-based storage with storing the parameters in redis
under a random token derived from the state. That will allow
us to validate the state and retrieve the params after the
redirect - by querying redis for the key derived from the
state sent in the POST redirect.
'''
request_data = self.strategy.request_data().dict()
data_to_store = {
key: request_data[key] for key in self.standard_relay_params
if key in request_data
}
# Generate a random string of 32 alphanumeric characters.
state = self.state_token()
put_dict_in_redis(redis_client, 'apple_auth_{token}',
data_to_store, self.REDIS_EXPIRATION_SECONDS,
token=state)
return state
def validate_state(self) -> Optional[str]:
auth: Add native flow support for Apple authentication. Overrides some of internal functions of python-social-auth to handle native flow. Credits to Mateusz Mandera for the overridden functions. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2020-06-09 18:17:32 +02:00
"""
This method replaces a method from python-social-auth; it is
adapted to retrieve the data stored in redis, save it in
the session so that it can be accessed by the social pipeline.
"""
auth: Add Sign in with Apple support. This implementation overrides some of PSA's internal backend functions to handle `state` value with redis as the standard way doesn't work because of apple sending required details in the form of POST request. Includes a mixin test class that'll be useful for testing Native auth flow. Thanks to Mateusz Mandera for the idea of using redis and other important work on this. Documentation rewritten by tabbott. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2020-06-09 12:04:21 +02:00
request_state = self.get_request_state()
if not request_state:
self.logger.info("Sign in with Apple failed: missing state parameter.")
raise AuthMissingParameter(self, 'state')
formatted_request_state = "apple_auth_" + request_state
redis_data = get_dict_from_redis(redis_client, "apple_auth_{token}",
formatted_request_state)
if redis_data is None:
self.logger.info("Sign in with Apple failed: bad state token.")
raise AuthStateForbidden(self)
for param, value in redis_data.items():
if param in self.standard_relay_params:
self.strategy.session_set(param, value)
return request_state
auth: Add native flow support for Apple authentication. Overrides some of internal functions of python-social-auth to handle native flow. Credits to Mateusz Mandera for the overridden functions. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2020-06-09 18:17:32 +02:00
def auth_complete(self, *args: Any, **kwargs: Any) -> Optional[HttpResponse]:
if not self.is_native_flow():
# The default implementation in python-social-auth is the browser flow.
return super().auth_complete(*args, **kwargs)
# We handle the Apple's native flow on our own. In this flow,
# before contacting the server, the client obtains an id_token
# from Apple directly, and then sends that to /complete/apple/
# (the endpoint handled by this function), together with any
# other desired parameters from self.standard_relay_params.
#
# What we'd like to do with the payload is just pass it into
# the common code path for the web flow. In the web flow,
# before sending a request to Apple, python-social-auth sets
# various values about the intended authentication in the
# session, before the redirect.
#
# Thus, we need to set those session variables here, before
# processing the id_token we received using the common do_auth.
request_data = self.strategy.request_data()
if 'id_token' not in request_data:
raise JsonableError(_("Missing id_token parameter"))
for param in self.standard_relay_params:
self.strategy.session_set(param, request_data.get(param))
# We should get the subdomain from the hostname of the request.
self.strategy.session_set('subdomain', get_subdomain(self.strategy.request))
try:
# Things are now ready to be handled by the superclass code. It will
# validate the id_token and push appropriate user data to the social pipeline.
result = self.do_auth(request_data['id_token'], *args, **kwargs)
return result
except (AuthFailed, AuthCanceled) as e:
# AuthFailed is a general "failure" exception from
# python-social-auth that we should convert to None return
# value here to avoid getting tracebacks.
#
# AuthCanceled is raised in the Apple backend
# implementation in python-social-auth in certain cases,
# though AuthFailed would have been more correct.
#
# We have an open PR to python-social-auth to clean this up.
logging.info("/complete/apple/: %s", str(e))
return None
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
@external_auth_method
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
class SAMLAuthBackend(SocialAuthMixin, SAMLAuth):
auth_backend_name = "SAML"
REDIS_EXPIRATION_SECONDS = 60 * 15
saml: Figure out the idp from SAMLResponse. Instead of plumbing the idp to /complete/saml/ through redis, it's much more natural to just figure it out from the SAMLResponse, because the information is there. This is also a preparatory step for adding IdP-initiated sign in, for which it is important for /complete/saml/ to be able to figure out which IdP the request is coming from.
2020-05-22 18:44:29 +02:00
SAMLRESPONSE_PARSING_EXCEPTIONS = (OneLogin_Saml2_Error, binascii.Error, XMLSyntaxError)
auth: Refactor social login rendering. login_context now gets the social_backends list through get_social_backend_dicts and we move display_logo customization to backend class definition. This prepares for easily adding multiple IdP support in SAML authentication - there will be a social_backend dict for each configured IdP, also allowing display_name and icon customization per IdP.
2019-10-22 18:11:28 +02:00
name = "saml"
saml: Give SAMLAuthBackend highest sort_order.
2019-10-19 21:12:33 +02:00
# Organization which go through the trouble of setting up SAML are most likely
# to have it as their main authentication method, so it seems appropriate to have
# SAML buttons at the top.
sort_order = 9999
auth: Support not using an icon when rendering social login buttons. Since we were using a placeholder emote for SAML, we change the defaults to no icon now that it's possible.
2019-10-26 02:03:06 +02:00
# There's no common default logo for SAML authentication.
social_backends: If no icon is to be displayed, set display_icon to None.
2019-11-05 00:08:27 +01:00
display_icon = None
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
register: Pre-populate Name in social backend flow. By adding some additional plumbing (through PreregistrationUser) of the full_name and an additional full_name_validated option, we pre-populate the Full Name field in the registration form when coming through a social backend (google/github/saml/etc.) and potentially skip the registration form (if the user would have nothing to do there other than clicking the Confirm button) and just create the account and log the user in.
2019-11-01 00:00:36 +01:00
# The full_name provided by the IdP is very likely the standard
# employee directory name for the user, and thus what they and
# their organization want to use in Zulip. So don't unnecessarily
# provide a registration flow prompt for them to set their name.
full_name_validated = True
saml: Add setting to require limit_to_subdomains on configured IdPs. If SAML_REQUIRE_LIMIT_TO_SUBDOMAINS is enabled, the configured IdPs will be validated and cleaned up when the saml backend is initialized. settings.py would be a tempting and more natural place to do this perhaps, but in settings.py we don't do logging and we wouldn't be able to write a test for it.
2020-04-16 12:05:26 +02:00
def __init__(self, *args: Any, **kwargs: Any) -> None:
if settings.SAML_REQUIRE_LIMIT_TO_SUBDOMAINS:
idps_without_limit_to_subdomains = [
idp_name for idp_name, idp_dict in settings.SOCIAL_AUTH_SAML_ENABLED_IDPS.items()
if 'limit_to_subdomains' not in idp_dict
]
if idps_without_limit_to_subdomains:
logging: Set up a different logger for each backend. Adds a top-level logger in `settings.LOGGING` `zulip.auth` with the default handlers `DEFAULT_ZULIP_HANDLERS` and an extra hanlder that writes to `/var/log/zulip/auth.log`. Each auth backend uses it's own logger, `self.logger` which is in form 'zulip.auth.<backend name>'. This way it's clear which auth backend generated the log and is easier to look for all authentication logs in one file. Besides the above mentioned changes, `name` attribute is added to `ZulipAuthMixin` so that these logging kind of calls wouldn't raise any issues when logging is tried in a class without `name` attribute. Also in the tests we use a new way to check if logger calls are made i.e. we use `assertLogs` to test if something is logged. Thanks to Mateusz Mandera for the idea of having a seperate logger for auth backends and suggestion of using `assertLogs`.
2020-06-02 20:20:53 +02:00
self.logger.error("SAML_REQUIRE_LIMIT_TO_SUBDOMAINS is enabled and the following " +
"IdPs don't have limit_to_subdomains specified and will be ignored: " +
python: Convert percent formatting to Python 3.6 f-strings. Generated by pyupgrade --py36-plus. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-10 06:41:04 +02:00
f"{idps_without_limit_to_subdomains}")
saml: Add setting to require limit_to_subdomains on configured IdPs. If SAML_REQUIRE_LIMIT_TO_SUBDOMAINS is enabled, the configured IdPs will be validated and cleaned up when the saml backend is initialized. settings.py would be a tempting and more natural place to do this perhaps, but in settings.py we don't do logging and we wouldn't be able to write a test for it.
2020-04-16 12:05:26 +02:00
for idp_name in idps_without_limit_to_subdomains:
del settings.SOCIAL_AUTH_SAML_ENABLED_IDPS[idp_name]
super().__init__(*args, **kwargs)
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
def auth_url(self) -> str:
"""Get the URL to which we must redirect in order to
authenticate the user. Overriding the original SAMLAuth.auth_url.
Runs when someone accesses the /login/saml/ endpoint."""
try:
idp_name = self.strategy.request_data()['idp']
auth = self._create_saml_auth(idp=self.get_idp(idp_name))
saml: Make the bad idp param KeyError log message more verbose. Original idea was that KeyError was only going to happen there in case of user passing bad input params to the endpoint, so logging a generic message seemed sufficient. But this can also happen in case of misconfiguration, so it's worth logging more info as it may help in debugging the configuration.
2020-02-20 15:54:39 +01:00
except KeyError as e:
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
# If the above raise KeyError, it means invalid or no idp was specified,
# we should log that and redirect to the login page.
logging: Set up a different logger for each backend. Adds a top-level logger in `settings.LOGGING` `zulip.auth` with the default handlers `DEFAULT_ZULIP_HANDLERS` and an extra hanlder that writes to `/var/log/zulip/auth.log`. Each auth backend uses it's own logger, `self.logger` which is in form 'zulip.auth.<backend name>'. This way it's clear which auth backend generated the log and is easier to look for all authentication logs in one file. Besides the above mentioned changes, `name` attribute is added to `ZulipAuthMixin` so that these logging kind of calls wouldn't raise any issues when logging is tried in a class without `name` attribute. Also in the tests we use a new way to check if logger calls are made i.e. we use `assertLogs` to test if something is logged. Thanks to Mateusz Mandera for the idea of having a seperate logger for auth backends and suggestion of using `assertLogs`.
2020-06-02 20:20:53 +02:00
self.logger.info("/login/saml/ : Bad idp param: KeyError: %s.", str(e))
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
return reverse('zerver.views.auth.login_page',
kwargs = {'template_name': 'zerver/login.html'})
# This where we change things. We need to pass some params
# (`mobile_flow_otp`, `next`, etc.) through RelayState, which
# then the IdP will pass back to us so we can read those
# parameters in the final part of the authentication flow, at
# the /complete/saml/ endpoint.
#
# To protect against network eavesdropping of these
# parameters, we send just a random token to the IdP in
# RelayState, which is used as a key into our redis data store
# for fetching the actual parameters after the IdP has
# returned a successful authentication.
saml: Figure out the idp from SAMLResponse. Instead of plumbing the idp to /complete/saml/ through redis, it's much more natural to just figure it out from the SAMLResponse, because the information is there. This is also a preparatory step for adding IdP-initiated sign in, for which it is important for /complete/saml/ to be able to figure out which IdP the request is coming from.
2020-05-22 18:44:29 +02:00
params_to_relay = self.standard_relay_params
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
request_data = self.strategy.request_data().dict()
data_to_relay = {
key: request_data[key] for key in params_to_relay if key in request_data
}
python: Replace ujson with orjson. Fixes #6507. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-08-07 01:09:47 +02:00
relay_state = orjson.dumps({"state_token": self.put_data_in_redis(data_to_relay)}).decode()
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
return auth.login(return_to=relay_state)
@classmethod
def put_data_in_redis(cls, data_to_relay: Dict[str, Any]) -> str:
redis: Extract put_dict_in_redis and get_dict_from_redis helpers.
2020-01-20 14:17:53 +01:00
return put_dict_in_redis(redis_client, "saml_token_{token}",
data_to_store=data_to_relay,
expiration_seconds=cls.REDIS_EXPIRATION_SECONDS)
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
@classmethod
def get_data_from_redis(cls, key: str) -> Optional[Dict[str, Any]]:
redis: Extract put_dict_in_redis and get_dict_from_redis helpers.
2020-01-20 14:17:53 +01:00
data = None
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
if key.startswith('saml_token_'):
# Safety if statement, to not allow someone to poke around arbitrary redis keys here.
redis_utils: Require key_format argument in get_dict_from_redis.
2020-01-26 19:01:56 +01:00
data = get_dict_from_redis(redis_client, "saml_token_{token}", key)
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
redis: Extract put_dict_in_redis and get_dict_from_redis helpers.
2020-01-20 14:17:53 +01:00
return data
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
saml: Fix incorrect settings object being passed in get_issuing_idp. Fixes #15904. settings is supposed to be a proper OneLogin_Saml2_Settings object, rather than an empty dictionary. This bug wasn't easy to spot because the codepath that causes this to demonstrate runs only if the SAMLResponse contains encrypted assertions.
2020-07-25 14:31:45 +02:00
def get_issuing_idp(self, SAMLResponse: str) -> Optional[str]:
saml: Figure out the idp from SAMLResponse. Instead of plumbing the idp to /complete/saml/ through redis, it's much more natural to just figure it out from the SAMLResponse, because the information is there. This is also a preparatory step for adding IdP-initiated sign in, for which it is important for /complete/saml/ to be able to figure out which IdP the request is coming from.
2020-05-22 18:44:29 +02:00
"""
Given a SAMLResponse, returns which of the configured IdPs is declared as the issuer.
This value MUST NOT be trusted as the true issuer!
The signatures are not validated, so it can be tampered with by the user.
That's not a problem for this function,
and true validation happens later in the underlying libraries, but it's important
to note this detail. The purpose of this function is merely as a helper to figure out which
of the configured IdPs' information to use for parsing and validating the response.
"""
try:
saml: Fix incorrect settings object being passed in get_issuing_idp. Fixes #15904. settings is supposed to be a proper OneLogin_Saml2_Settings object, rather than an empty dictionary. This bug wasn't easy to spot because the codepath that causes this to demonstrate runs only if the SAMLResponse contains encrypted assertions.
2020-07-25 14:31:45 +02:00
config = self.generate_saml_config()
saml_settings = OneLogin_Saml2_Settings(config, sp_validation_only=True)
resp = OneLogin_Saml2_Response(settings=saml_settings, response=SAMLResponse)
saml: Figure out the idp from SAMLResponse. Instead of plumbing the idp to /complete/saml/ through redis, it's much more natural to just figure it out from the SAMLResponse, because the information is there. This is also a preparatory step for adding IdP-initiated sign in, for which it is important for /complete/saml/ to be able to figure out which IdP the request is coming from.
2020-05-22 18:44:29 +02:00
issuers = resp.get_issuers()
saml: Fix incorrect settings object being passed in get_issuing_idp. Fixes #15904. settings is supposed to be a proper OneLogin_Saml2_Settings object, rather than an empty dictionary. This bug wasn't easy to spot because the codepath that causes this to demonstrate runs only if the SAMLResponse contains encrypted assertions.
2020-07-25 14:31:45 +02:00
except self.SAMLRESPONSE_PARSING_EXCEPTIONS:
saml: Use self.logger in get_issuing_idp. get_issuing_idp is no longer a class method, so that akward logger fetching can be skipped and self.logger can be accessed.
2020-07-25 14:52:01 +02:00
self.logger.info("Error while parsing SAMLResponse:", exc_info=True)
saml: Figure out the idp from SAMLResponse. Instead of plumbing the idp to /complete/saml/ through redis, it's much more natural to just figure it out from the SAMLResponse, because the information is there. This is also a preparatory step for adding IdP-initiated sign in, for which it is important for /complete/saml/ to be able to figure out which IdP the request is coming from.
2020-05-22 18:44:29 +02:00
return None
for idp_name, idp_config in settings.SOCIAL_AUTH_SAML_ENABLED_IDPS.items():
if idp_config['entity_id'] in issuers:
return idp_name
return None
saml: Support IdP-initiated SSO.
2020-05-23 15:21:19 +02:00
def get_relayed_params(self) -> Dict[str, Any]:
request_data = self.strategy.request_data()
if 'RelayState' not in request_data:
return {}
relay_state = request_data['RelayState']
try:
python: Replace ujson with orjson. Fixes #6507. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-08-07 01:09:47 +02:00
data = orjson.loads(relay_state)
saml: Support IdP-initiated SSO.
2020-05-23 15:21:19 +02:00
if 'state_token' in data:
# SP-initiated sign in. We stored relevant information in the first
# step of the flow
return self.get_data_from_redis(data['state_token']) or {}
else:
# IdP-initiated sign in. Right now we only support transporting subdomain through json in
# RelayState, but this format is nice in that it allows easy extensibility here.
return {'subdomain': data.get('subdomain')}
except (ValueError, TypeError):
return {}
def choose_subdomain(self, relayed_params: Dict[str, Any]) -> Optional[str]:
subdomain = relayed_params.get("subdomain")
if subdomain is not None:
return subdomain
# If not specified otherwise, the intended subdomain for this
# authentication attempt is the subdomain of the request.
request_subdomain = get_subdomain(self.strategy.request)
try:
# We only want to do a basic sanity-check here for whether
# this subdomain has a realm one could try to authenticate
# to. True validation of whether the realm is active, the
# IdP is appropriate for the subdomain, etc. happens
# elsewhere in the flow and we shouldn't duplicate such
# logic here.
get_realm(request_subdomain)
except Realm.DoesNotExist:
return None
else:
return request_subdomain
saml: Add option to restrict subdomain access based on SAML attributes. Adds the ability to set a SAML attribute which contains a list of subdomains the user is allowed to access. This allows a Zulip server with multiple organizations to filter using SAML attributes which organization each user can access. Cleaned up and adapted by Mateusz Mandera to fit our conventions and needs more. Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2020-06-19 21:44:29 +02:00
def _check_entitlements(self, idp: SAMLIdentityProvider, attributes: Dict[str, List[str]]) -> None:
"""
Below is the docstring from the social_core SAML backend.
Additional verification of a SAML response before
authenticating the user.
Subclasses can override this method if they need custom
validation code, such as requiring the presence of an
eduPersonEntitlement.
raise social_core.exceptions.AuthForbidden if the user should not
be authenticated, or do nothing to allow the login pipeline to
continue.
"""
org_membership_attribute = idp.conf.get('attr_org_membership', None)
if org_membership_attribute is None:
return
subdomain = self.strategy.session_get('subdomain')
entitlements: Union[str, List[str]] = attributes.get(org_membership_attribute, [])
if subdomain in entitlements:
return
# The root subdomain is a special case, as sending an
# empty string in the list of values of the attribute may
# not be viable. So, any of the ROOT_SUBDOMAIN_ALIASES can
# be used to signify the user is authorized for the root
# subdomain.
if (subdomain == Realm.SUBDOMAIN_FOR_ROOT_DOMAIN
and not settings.ROOT_DOMAIN_LANDING_PAGE
and any(alias in entitlements for alias in settings.ROOT_SUBDOMAIN_ALIASES)):
return
error_msg = f"SAML user from IdP {idp.name} rejected due to missing entitlement " + \
f"for subdomain '{subdomain}'. User entitlements: {entitlements}."
raise AuthFailed(self, error_msg)
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
def auth_complete(self, *args: Any, **kwargs: Any) -> Optional[HttpResponse]:
"""
Additional ugly wrapping on top of auth_complete in SocialAuthMixin.
We handle two things here:
1. Working around bad RelayState or SAMLResponse parameters in the request.
Both parameters should be present if the user came to /complete/saml/ through
the IdP as intended. The errors can happen if someone simply types the endpoint into
their browsers, or generally tries messing with it in some ways.
2. The first part of our SAML authentication flow will encode important parameters
into the RelayState. We need to read them and set those values in the session,
and then change the RelayState param to the idp_name, because that's what
SAMLAuth.auth_complete() expects.
"""
saml: Figure out the idp from SAMLResponse. Instead of plumbing the idp to /complete/saml/ through redis, it's much more natural to just figure it out from the SAMLResponse, because the information is there. This is also a preparatory step for adding IdP-initiated sign in, for which it is important for /complete/saml/ to be able to figure out which IdP the request is coming from.
2020-05-22 18:44:29 +02:00
SAMLResponse = self.strategy.request_data().get('SAMLResponse')
if SAMLResponse is None:
logging: Set up a different logger for each backend. Adds a top-level logger in `settings.LOGGING` `zulip.auth` with the default handlers `DEFAULT_ZULIP_HANDLERS` and an extra hanlder that writes to `/var/log/zulip/auth.log`. Each auth backend uses it's own logger, `self.logger` which is in form 'zulip.auth.<backend name>'. This way it's clear which auth backend generated the log and is easier to look for all authentication logs in one file. Besides the above mentioned changes, `name` attribute is added to `ZulipAuthMixin` so that these logging kind of calls wouldn't raise any issues when logging is tried in a class without `name` attribute. Also in the tests we use a new way to check if logger calls are made i.e. we use `assertLogs` to test if something is logged. Thanks to Mateusz Mandera for the idea of having a seperate logger for auth backends and suggestion of using `assertLogs`.
2020-06-02 20:20:53 +02:00
self.logger.info("/complete/saml/: No SAMLResponse in request.")
saml: Figure out the idp from SAMLResponse. Instead of plumbing the idp to /complete/saml/ through redis, it's much more natural to just figure it out from the SAMLResponse, because the information is there. This is also a preparatory step for adding IdP-initiated sign in, for which it is important for /complete/saml/ to be able to figure out which IdP the request is coming from.
2020-05-22 18:44:29 +02:00
return None
saml: Support IdP-initiated SSO.
2020-05-23 15:21:19 +02:00
relayed_params = self.get_relayed_params()
subdomain = self.choose_subdomain(relayed_params)
if subdomain is None:
error_msg = "/complete/saml/: Can't figure out subdomain for this authentication request. " + \
"relayed_params: %s"
logging: Set up a different logger for each backend. Adds a top-level logger in `settings.LOGGING` `zulip.auth` with the default handlers `DEFAULT_ZULIP_HANDLERS` and an extra hanlder that writes to `/var/log/zulip/auth.log`. Each auth backend uses it's own logger, `self.logger` which is in form 'zulip.auth.<backend name>'. This way it's clear which auth backend generated the log and is easier to look for all authentication logs in one file. Besides the above mentioned changes, `name` attribute is added to `ZulipAuthMixin` so that these logging kind of calls wouldn't raise any issues when logging is tried in a class without `name` attribute. Also in the tests we use a new way to check if logger calls are made i.e. we use `assertLogs` to test if something is logged. Thanks to Mateusz Mandera for the idea of having a seperate logger for auth backends and suggestion of using `assertLogs`.
2020-06-02 20:20:53 +02:00
self.logger.info(error_msg, relayed_params)
saml: Support IdP-initiated SSO.
2020-05-23 15:21:19 +02:00
return None
saml: Figure out the idp from SAMLResponse. Instead of plumbing the idp to /complete/saml/ through redis, it's much more natural to just figure it out from the SAMLResponse, because the information is there. This is also a preparatory step for adding IdP-initiated sign in, for which it is important for /complete/saml/ to be able to figure out which IdP the request is coming from.
2020-05-22 18:44:29 +02:00
idp_name = self.get_issuing_idp(SAMLResponse)
if idp_name is None:
logging: Set up a different logger for each backend. Adds a top-level logger in `settings.LOGGING` `zulip.auth` with the default handlers `DEFAULT_ZULIP_HANDLERS` and an extra hanlder that writes to `/var/log/zulip/auth.log`. Each auth backend uses it's own logger, `self.logger` which is in form 'zulip.auth.<backend name>'. This way it's clear which auth backend generated the log and is easier to look for all authentication logs in one file. Besides the above mentioned changes, `name` attribute is added to `ZulipAuthMixin` so that these logging kind of calls wouldn't raise any issues when logging is tried in a class without `name` attribute. Also in the tests we use a new way to check if logger calls are made i.e. we use `assertLogs` to test if something is logged. Thanks to Mateusz Mandera for the idea of having a seperate logger for auth backends and suggestion of using `assertLogs`.
2020-06-02 20:20:53 +02:00
self.logger.info("/complete/saml/: No valid IdP as issuer of the SAMLResponse.")
saml: Figure out the idp from SAMLResponse. Instead of plumbing the idp to /complete/saml/ through redis, it's much more natural to just figure it out from the SAMLResponse, because the information is there. This is also a preparatory step for adding IdP-initiated sign in, for which it is important for /complete/saml/ to be able to figure out which IdP the request is coming from.
2020-05-22 18:44:29 +02:00
return None
saml: Implement limiting of IdP to specified realms. Through the limit_to_subdomains setting on IdP dicts it's now possible to limit the IdP to only allow authenticating to the specified realms. Fixes #13340.
2020-04-10 16:30:02 +02:00
idp_valid = self.validate_idp_for_subdomain(idp_name, subdomain)
if not idp_valid:
saml: Support IdP-initiated SSO.
2020-05-23 15:21:19 +02:00
error_msg = "/complete/saml/: Authentication request with IdP %s but this provider is not " + \
"enabled for this subdomain %s."
logging: Set up a different logger for each backend. Adds a top-level logger in `settings.LOGGING` `zulip.auth` with the default handlers `DEFAULT_ZULIP_HANDLERS` and an extra hanlder that writes to `/var/log/zulip/auth.log`. Each auth backend uses it's own logger, `self.logger` which is in form 'zulip.auth.<backend name>'. This way it's clear which auth backend generated the log and is easier to look for all authentication logs in one file. Besides the above mentioned changes, `name` attribute is added to `ZulipAuthMixin` so that these logging kind of calls wouldn't raise any issues when logging is tried in a class without `name` attribute. Also in the tests we use a new way to check if logger calls are made i.e. we use `assertLogs` to test if something is logged. Thanks to Mateusz Mandera for the idea of having a seperate logger for auth backends and suggestion of using `assertLogs`.
2020-06-02 20:20:53 +02:00
self.logger.info(error_msg, idp_name, subdomain)
saml: Implement limiting of IdP to specified realms. Through the limit_to_subdomains setting on IdP dicts it's now possible to limit the IdP to only allow authenticating to the specified realms. Fixes #13340.
2020-04-10 16:30:02 +02:00
return None
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
result = None
try:
saml: Support IdP-initiated SSO.
2020-05-23 15:21:19 +02:00
params = relayed_params.copy()
params['subdomain'] = subdomain
for param, value in params.items():
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
if param in self.standard_relay_params:
self.strategy.session_set(param, value)
# super().auth_complete expects to have RelayState set to the idp_name,
# so we need to replace this param.
post_params = self.strategy.request.POST.copy()
saml: Implement limiting of IdP to specified realms. Through the limit_to_subdomains setting on IdP dicts it's now possible to limit the IdP to only allow authenticating to the specified realms. Fixes #13340.
2020-04-10 16:30:02 +02:00
post_params['RelayState'] = idp_name
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
self.strategy.request.POST = post_params
# Call the auth_complete method of SocialAuthMixIn
mypy: Remove unnecessary type: ignore annotations. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 03:51:22 +02:00
result = super().auth_complete(*args, **kwargs)
logging: Use logging.exception and exc_info for unexpected exceptions. logging.exception() and logging.debug(exc_info=True), etc. automatically include a traceback. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-12 01:35:37 +02:00
except self.SAMLRESPONSE_PARSING_EXCEPTIONS:
saml: Gracefully handle bad SAMLResponses.
2020-05-22 15:26:17 +02:00
# These can be raised if SAMLResponse is missing or badly formatted.
logging: Use logging.exception and exc_info for unexpected exceptions. logging.exception() and logging.debug(exc_info=True), etc. automatically include a traceback. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-12 01:35:37 +02:00
self.logger.info("/complete/saml/: error while parsing SAMLResponse:", exc_info=True)
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
# Fall through to returning None.
finally:
if result is None:
for param in self.standard_relay_params:
# If an attacker managed to eavesdrop on the RelayState token,
# they may pass it here to the endpoint with an invalid SAMLResponse.
# We remove these potentially sensitive parameters that we have set in the session
text: Fix some typos (most of them found and fixed by codespell). Signed-off-by: Stefan Weil <sw@weilnetz.de>
2020-03-28 01:25:56 +01:00
# earlier, to avoid leaking their values.
auth: Add initial SAML authentication support. There are a few outstanding issues that we expect to resolve beforce including this in a release, but this is good checkpoint to merge. This PR is a collaboration with Tim Abbott. Fixes #716.
2019-09-29 06:32:56 +02:00
self.strategy.session_set(param, None)
return result
saml: Implement limiting of IdP to specified realms. Through the limit_to_subdomains setting on IdP dicts it's now possible to limit the IdP to only allow authenticating to the specified realms. Fixes #13340.
2020-04-10 16:30:02 +02:00
@classmethod
def validate_idp_for_subdomain(cls, idp_name: str, subdomain: str) -> bool:
idp_dict = settings.SOCIAL_AUTH_SAML_ENABLED_IDPS.get(idp_name)
if idp_dict is None:
python: Convert percent formatting to Python 3.6 f-strings. Generated by pyupgrade --py36-plus. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-10 06:41:04 +02:00
raise AssertionError(f"IdP: {idp_name} not found")
saml: Implement limiting of IdP to specified realms. Through the limit_to_subdomains setting on IdP dicts it's now possible to limit the IdP to only allow authenticating to the specified realms. Fixes #13340.
2020-04-10 16:30:02 +02:00
if 'limit_to_subdomains' in idp_dict and subdomain not in idp_dict['limit_to_subdomains']:
return False
return True
saml: Sanity-check configuration in both login and signup codepaths.
2019-10-26 01:51:48 +02:00
@classmethod
def check_config(cls) -> Optional[HttpResponse]:
obligatory_saml_settings_list = [
settings.SOCIAL_AUTH_SAML_SP_ENTITY_ID,
settings.SOCIAL_AUTH_SAML_ORG_INFO,
settings.SOCIAL_AUTH_SAML_TECHNICAL_CONTACT,
settings.SOCIAL_AUTH_SAML_SUPPORT_CONTACT,
python: Use trailing commas consistently. Automatically generated by the following script, based on the output of lint with flake8-comma: import re import sys last_filename = None last_row = None lines = [] for msg in sys.stdin: m = re.match( r"\x1b\[35mflake8 \|\x1b\[0m \x1b\[1;31m(.+):(\d+):(\d+): (\w+)", msg ) if m: filename, row_str, col_str, err = m.groups() row, col = int(row_str), int(col_str) if filename == last_filename: assert last_row != row else: if last_filename is not None: with open(last_filename, "w") as f: f.writelines(lines) with open(filename) as f: lines = f.readlines() last_filename = filename last_row = row line = lines[row - 1] if err in ["C812", "C815"]: lines[row - 1] = line[: col - 1] + "," + line[col - 1 :] elif err in ["C819"]: assert line[col - 2] == "," lines[row - 1] = line[: col - 2] + line[col - 1 :].lstrip(" ") if last_filename is not None: with open(last_filename, "w") as f: f.writelines(lines) Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-10 05:23:40 +02:00
settings.SOCIAL_AUTH_SAML_ENABLED_IDPS,
saml: Sanity-check configuration in both login and signup codepaths.
2019-10-26 01:51:48 +02:00
]
if any(not setting for setting in obligatory_saml_settings_list):
return redirect_to_config_error("saml")
return None
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
@classmethod
saml: Implement limiting of IdP to specified realms. Through the limit_to_subdomains setting on IdP dicts it's now possible to limit the IdP to only allow authenticating to the specified realms. Fixes #13340.
2020-04-10 16:30:02 +02:00
def dict_representation(cls, realm: Optional[Realm]=None) -> List[ExternalAuthMethodDictT]:
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
result: List[ExternalAuthMethodDictT] = []
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
for idp_name, idp_dict in settings.SOCIAL_AUTH_SAML_ENABLED_IDPS.items():
saml: Implement limiting of IdP to specified realms. Through the limit_to_subdomains setting on IdP dicts it's now possible to limit the IdP to only allow authenticating to the specified realms. Fixes #13340.
2020-04-10 16:30:02 +02:00
if realm and not cls.validate_idp_for_subdomain(idp_name, realm.subdomain):
continue
saml: Change which IdPs are returned to get_external_method_dicts. If queried without a realm, get_external_method_dicts should only have IdPs that can be used on all realms.
2020-04-18 15:47:41 +02:00
if realm is None and 'limit_to_subdomains' in idp_dict:
# If queried without a realm, only return IdPs that can be used on all realms.
continue
saml: Implement limiting of IdP to specified realms. Through the limit_to_subdomains setting on IdP dicts it's now possible to limit the IdP to only allow authenticating to the specified realms. Fixes #13340.
2020-04-10 16:30:02 +02:00
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
saml_dict: ExternalAuthMethodDictT = dict(
python: Convert "".format to Python 3.6 f-strings. Generated by pyupgrade --py36-plus --keep-percent-format, but with the NamedTuple changes reverted (see commit ba7906a3c657905fa35bbcfb4e97b053f050272d, #15132). Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-09 00:25:09 +02:00
name=f'saml:{idp_name}',
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
display_name=idp_dict.get('display_name', cls.auth_backend_name),
display_icon=idp_dict.get('display_icon', cls.display_icon),
login_url=reverse('login-social-extra-arg', args=('saml', idp_name)),
signup_url=reverse('signup-social-extra-arg', args=('saml', idp_name)),
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
)
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
result.append(saml_dict)
auth: Change SAML login url scheme, enabling multiple IdP support. The url scheme is now /accounts/login/social/saml/{idp_name} to initiate login using the IdP configured under "idp_name" name. display_name and display_logo (the name and icon to show on the "Log in with" button) can be customized by adding the apprioprate settings in the configured IdP dictionaries.
2019-10-22 18:23:57 +02:00
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
return result
auth: Change SAML login url scheme, enabling multiple IdP support. The url scheme is now /accounts/login/social/saml/{idp_name} to initiate login using the IdP configured under "idp_name" name. display_name and display_logo (the name and icon to show on the "Log in with" button) can be customized by adding the apprioprate settings in the configured IdP dictionaries.
2019-10-22 18:23:57 +02:00
auth: Ensure only one of mobile and desktop otps in validate_otp_params. validate_otp_params needs to be moved to backends.py, because as of this commit it'll be used both there and in views.auth - and import from views.auth to backends.py causes circular import issue.
2020-02-01 17:45:22 +01:00
def validate_otp_params(mobile_flow_otp: Optional[str]=None,
desktop_flow_otp: Optional[str]=None) -> None:
for otp in [mobile_flow_otp, desktop_flow_otp]:
if otp is not None and not is_valid_otp(otp):
raise JsonableError(_("Invalid OTP"))
if mobile_flow_otp and desktop_flow_otp:
raise JsonableError(_("Can't use both mobile_flow_otp and desktop_flow_otp together."))
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
def get_external_method_dicts(realm: Optional[Realm]=None) -> List[ExternalAuthMethodDictT]:
social_backends: Remove sort_order from social backend dicts. These are returned through the API, at the /server_settings endpoint. It's better to just return the list of dicts with a guarantee of being sorted in the correct order, than to clutter things with the sort_order field.
2019-11-02 04:35:39 +01:00
"""
Returns a list of dictionaries that represent social backends, sorted
in the order in which they should be displayed.
"""
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
result: List[ExternalAuthMethodDictT] = []
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
for backend in EXTERNAL_AUTH_METHODS:
# EXTERNAL_AUTH_METHODS is already sorted in the correct order,
social_backends: Remove sort_order from social backend dicts. These are returned through the API, at the /server_settings endpoint. It's better to just return the list of dicts with a guarantee of being sorted in the correct order, than to clutter things with the sort_order field.
2019-11-02 04:35:39 +01:00
# so we don't need to worry about sorting here.
auth: Refactor social login rendering. login_context now gets the social_backends list through get_social_backend_dicts and we move display_logo customization to backend class definition. This prepares for easily adding multiple IdP support in SAML authentication - there will be a social_backend dict for each configured IdP, also allowing display_name and icon customization per IdP.
2019-10-22 18:11:28 +02:00
if auth_enabled_helper([backend.auth_backend_name], realm):
saml: Implement limiting of IdP to specified realms. Through the limit_to_subdomains setting on IdP dicts it's now possible to limit the IdP to only allow authenticating to the specified realms. Fixes #13340.
2020-04-10 16:30:02 +02:00
result.extend(backend.dict_representation(realm))
auth: Refactor social login rendering. login_context now gets the social_backends list through get_social_backend_dicts and we move display_logo customization to backend class definition. This prepares for easily adding multiple IdP support in SAML authentication - there will be a social_backend dict for each configured IdP, also allowing display_name and icon customization per IdP.
2019-10-22 18:11:28 +02:00
social_backends: Remove sort_order from social backend dicts. These are returned through the API, at the /server_settings endpoint. It's better to just return the list of dicts with a guarantee of being sorted in the correct order, than to clutter things with the sort_order field.
2019-11-02 04:35:39 +01:00
return result
auth: Refactor social login rendering. login_context now gets the social_backends list through get_social_backend_dicts and we move display_logo customization to backend class definition. This prepares for easily adding multiple IdP support in SAML authentication - there will be a social_backend dict for each configured IdP, also allowing display_name and icon customization per IdP.
2019-10-22 18:11:28 +02:00
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
AUTH_BACKEND_NAME_MAP: Dict[str, Any] = {
zproject: Remove u prefix from strings.
2017-11-02 08:05:56 +01:00
'Dev': DevAuthBackend,
'Email': EmailAuthBackend,
'LDAP': ZulipLDAPAuthBackend,
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-22 01:09:50 +02:00
}
auth: Automate social auth backends in AUTH_BACKEND_NAME_MAP. This saves a line of manual code every time we add a new social auth backend.
2018-10-12 01:58:01 +02:00
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
for external_method in EXTERNAL_AUTH_METHODS:
AUTH_BACKEND_NAME_MAP[external_method.auth_backend_name] = external_method
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
auth: Expand on the external_auth_method abstraction. This commit builds a more complete concept of an "external authentication method". Our social backends become a special case of an external authentication method - but these changes don't change the actual behavior of social backends, they allow having other backends (that come from python-social-auth and don't use the social backend pipeline) share useful code that so far only serviced social backends. Most importantly, this allows having other backends show up in the external_authentication_methods field of the /server_settings endpoint, as well as rendering buttons through the same mechanism as we already did for social backends. This moves the creation of dictonaries describing the backend for the API and button rendering code away into a method, that each backend in this category is responsible for defining. To register a backend as an external_authentication_method, it should subclass ExternalAuthMethod and define its dict_representation classmethod, and finally use the external_auth_method class decorator to get added to the EXTERNAL_AUTH_METHODS list.
2019-12-08 23:11:25 +01:00
EXTERNAL_AUTH_METHODS = sorted(EXTERNAL_AUTH_METHODS, key=lambda x: x.sort_order, reverse=True)
social_backends: Remove sort_order from social backend dicts. These are returned through the API, at the /server_settings endpoint. It's better to just return the list of dicts with a guarantee of being sorted in the correct order, than to clutter things with the sort_order field.
2019-11-02 04:35:39 +01:00
auth: Migrate google auth to python-social-auth. This replaces the two custom Google authentication backends originally written in 2012 with using the shared python-social-auth codebase that we already use for the GitHub authentication backend. These are: * GoogleMobileOauth2Backend, the ancient code path for mobile authentication last used by the EOL original Zulip Android app. * The `finish_google_oauth2` code path in zerver/views/auth.py, which was the webapp (and modern mobile app) Google authentication code path. This change doesn't fix any known bugs; its main benefit is that we get to remove hundreds of lines of security-sensitive semi-duplicated code, replacing it with a widely trusted, high quality third-party library.
2019-02-02 16:51:26 +01:00
# Provide this alternative name for backwards compatibility with
# installations that had the old backend enabled.
GoogleMobileOauth2Backend = GoogleAuthBackend