Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/zproject/backends.py

211 lines
7.8 KiB
Python
Raw Normal View History

SSO / REMOTE_USER support (imported from commit 4f4fad7af5d3c6099cac95d7708338c182626d72)
2013-11-04 23:16:46 +01:00
from __future__ import absolute_import
from django.contrib.auth.backends import RemoteUserBackend
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
from django.conf import settings
Disable password change when SSO is the only login option (imported from commit fd1a14237e2d6ea574331ed178bfc0db5beb18c6)
2013-11-04 23:42:31 +01:00
import django.contrib.auth
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
from django_auth_ldap.backend import LDAPBackend
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
from zerver.lib.actions import do_create_user
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
from zerver.models import UserProfile, Realm, get_user_profile_by_id, \
get_user_profile_by_email, remote_user_to_email, email_to_username, \
resolve_email_to_domain, get_realm
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
from apiclient.sample_tools import client as googleapiclient
from oauth2client.crypt import AppIdentityError
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
Make password_auth_enabled() take a realm object This will actually be used in an upcoming commit. (imported from commit 5d3db685a245899b2523440398f2ed2f0cfec4f4)
2014-03-28 00:45:03 +01:00
def password_auth_enabled(realm):
Fix bug in dev login which showed email/password prompts on logins after the first. (imported from commit 626684ef1da8feb53aca05c9225ee628156f9810)
2015-08-19 03:42:38 +02:00
if realm is not None:
Remove the SSO-only realm integration. It's messy code, only one customer ever used it, and it's not in use today. (imported from commit af3f512ac6af74af66c588c7d40d699e98514d0a)
2015-09-20 06:16:18 +02:00
if realm.domain == 'zulip.com' and settings.PRODUCTION:
Fix bug in dev login which showed email/password prompts on logins after the first. (imported from commit 626684ef1da8feb53aca05c9225ee628156f9810)
2015-08-19 03:42:38 +02:00
# the dropbox realm is SSO only, but the unit tests still need to be
# able to login
return False
Disable password auth for dropbox This change disabled password auth, but the UI still shows the login form. I will remove that once we have the new hostname. (imported from commit 6ca119571854ac54645680b40255e346be1c1613)
2015-02-06 03:00:28 +01:00
Disable password change when SSO is the only login option (imported from commit fd1a14237e2d6ea574331ed178bfc0db5beb18c6)
2013-11-04 23:42:31 +01:00
for backend in django.contrib.auth.get_backends():
if isinstance(backend, EmailAuthBackend):
return True
Show the username/password form if ZulipLDAPAuthBackend is enabled.
2015-09-30 08:14:17 +02:00
if isinstance(backend, ZulipLDAPAuthBackend):
return True
Disable password change when SSO is the only login option (imported from commit fd1a14237e2d6ea574331ed178bfc0db5beb18c6)
2013-11-04 23:42:31 +01:00
return False
Add a new dev login page for logging in without a password on the dev VM. (imported from commit ac8f2504771c9907b7e92dc91cec5f7220ce951b)
2015-08-19 02:58:20 +02:00
def dev_auth_enabled():
for backend in django.contrib.auth.get_backends():
if isinstance(backend, DevAuthBackend):
return True
return False
def google_auth_enabled():
for backend in django.contrib.auth.get_backends():
if isinstance(backend, GoogleMobileOauth2Backend):
return True
return False
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
def common_get_active_user_by_email(email, return_data=None):
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
try:
user_profile = get_user_profile_by_email(email)
except UserProfile.DoesNotExist:
return None
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
if not user_profile.is_active:
if return_data is not None:
return_data['inactive_user'] = True
return None
if user_profile.realm.deactivated:
if return_data is not None:
return_data['inactive_realm'] = True
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
return None
return user_profile
Factor out get_user in zproject/backends.py (imported from commit d60b5440722ed596ffbcb81086b2f62d535288dd)
2013-11-01 20:22:12 +01:00
class ZulipAuthMixin(object):
def get_user(self, user_profile_id):
""" Get a UserProfile object from the user_profile_id. """
try:
return get_user_profile_by_id(user_profile_id)
except UserProfile.DoesNotExist:
return None
Use LDAP-provided information if available for real names If authoritative data is available from say the LDAP database, we now ignore the POSTed user name, and don't offer it as a form field. We fall back to giving the user a text field if they aren't in LDAP. If users do not have any form fields to fill out, we simply bring them to the app without the registration page, logging them in using a dummy backend. (imported from commit 6bee87430ba46ff753ea3408251e8a80c45c713f)
2013-11-21 04:57:23 +01:00
class ZulipDummyBackend(ZulipAuthMixin):
"""
Used when we want to log you in but we don't know which backend to use.
"""
def authenticate(self, username=None, use_dummy_backend=False):
if use_dummy_backend:
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
return common_get_active_user_by_email(username)
Use LDAP-provided information if available for real names If authoritative data is available from say the LDAP database, we now ignore the POSTed user name, and don't offer it as a form field. We fall back to giving the user a text field if they aren't in LDAP. If users do not have any form fields to fill out, we simply bring them to the app without the registration page, logging them in using a dummy backend. (imported from commit 6bee87430ba46ff753ea3408251e8a80c45c713f)
2013-11-21 04:57:23 +01:00
return None
Factor out get_user in zproject/backends.py (imported from commit d60b5440722ed596ffbcb81086b2f62d535288dd)
2013-11-01 20:22:12 +01:00
class EmailAuthBackend(ZulipAuthMixin):
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
"""
Email Authentication Backend
Allows a user to sign in using an email/password pair rather than
a username/password pair.
"""
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
def authenticate(self, username=None, password=None, return_data=None):
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
""" Authenticate a user based on email address as the user name. """
if username is None or password is None:
# Return immediately. Otherwise we will look for a SQL row with
# NULL username. While that's probably harmless, it's needless
# exposure.
return None
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
user_profile = common_get_active_user_by_email(username, return_data=return_data)
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
if user_profile is None:
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
return None
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
if not password_auth_enabled(user_profile.realm):
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
if return_data is not None:
return_data['password_auth_disabled'] = True
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
return None
if user_profile.check_password(password):
return user_profile
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
class GoogleMobileOauth2Backend(ZulipAuthMixin):
"""
Google Apps authentication for mobile devices
Allows a user to sign in using a Google-issued OAuth2 token.
Ref:
https://developers.google.com/+/mobile/android/sign-in#server-side_access_for_your_app
https://developers.google.com/accounts/docs/CrossClientAuth#offlineAccess
"""
def authenticate(self, google_oauth2_token=None, return_data={}):
try:
token_payload = googleapiclient.verify_id_token(google_oauth2_token, settings.GOOGLE_CLIENT_ID)
except AppIdentityError:
return None
Fix Google OAuth login by checking True as well as true in oauth response (imported from commit c80620eca4dbd9b5b0122e8e564bc7257a2bd4f5)
2014-05-14 18:57:09 +02:00
if token_payload["email_verified"] in (True, "true"):
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
try:
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
user_profile = get_user_profile_by_email(token_payload["email"])
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
except UserProfile.DoesNotExist:
return_data["valid_attestation"] = True
return None
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
if not user_profile.is_active:
return_data["inactive_user"] = True
return None
if user_profile.realm.deactivated:
return_data["inactive_realm"] = True
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
return None
return user_profile
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
else:
return_data["valid_attestation"] = False
SSO / REMOTE_USER support (imported from commit 4f4fad7af5d3c6099cac95d7708338c182626d72)
2013-11-04 23:16:46 +01:00
class ZulipRemoteUserBackend(RemoteUserBackend):
create_unknown_user = False
def authenticate(self, remote_user):
if not remote_user:
Fix missing return None in ZulipRemoteUserBackend.authenticate.
2016-01-26 03:11:31 +01:00
return None
SSO / REMOTE_USER support (imported from commit 4f4fad7af5d3c6099cac95d7708338c182626d72)
2013-11-04 23:16:46 +01:00
email = remote_user_to_email(remote_user)
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
return common_get_active_user_by_email(email)
Fix ZulipRemoteUserBackend for activating mirror dummies. If you're using e.g. our Jabber<=>Zulip mirroring capability along with the RemoteUser SSO integration, previously it would fail if a user with a corresponding dummy user tried to login/signup (since they didn't have an account but one wouldn't be created because ZulipRemoteUserBackend was reporting that an account already existed). (imported from commit 006eaa9afa8feedddd860c2bef41e604285228a7)
2015-02-06 18:30:28 +01:00
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
class ZulipLDAPException(Exception):
pass
class ZulipLDAPAuthBackendBase(ZulipAuthMixin, LDAPBackend):
# Don't use Django LDAP's permissions functions
def has_perm(self, user, perm, obj=None):
return False
def has_module_perms(self, user, app_label):
return False
def get_all_permissions(self, user, obj=None):
return set()
def get_group_permissions(self, user, obj=None):
return set()
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
def django_to_ldap_username(self, username):
Improve LDAP_APPEND_DOMAIN default. The documentation suggests the default is None; this change makes that true. Also make the actual code robust to this being set to "" instead.
2015-10-13 22:57:38 +02:00
if settings.LDAP_APPEND_DOMAIN:
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
if not username.endswith("@" + settings.LDAP_APPEND_DOMAIN):
raise ZulipLDAPException("Username does not match LDAP domain.")
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
return email_to_username(username)
return username
def ldap_to_django_username(self, username):
Improve LDAP_APPEND_DOMAIN default. The documentation suggests the default is None; this change makes that true. Also make the actual code robust to this being set to "" instead.
2015-10-13 22:57:38 +02:00
if settings.LDAP_APPEND_DOMAIN:
Correctly concatenate local part with domain in LDAP backend. (imported from commit 951123e2e0ed52a11dc8b5ce3aeff2c1d4f5e816)
2013-11-25 17:57:30 +01:00
return "@".join((username, settings.LDAP_APPEND_DOMAIN))
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
return username
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):
def authenticate(self, username, password):
try:
username = self.django_to_ldap_username(username)
return ZulipLDAPAuthBackendBase.authenticate(self, username, password)
except Realm.DoesNotExist:
return None
except ZulipLDAPException:
return None
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
def get_or_create_user(self, username, ldap_user):
try:
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
user_profile = get_user_profile_by_email(username)
if not user_profile.is_active or user_profile.realm.deactivated:
raise ZulipLDAPException("Realm has been deactivated")
return user_profile, False
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
except UserProfile.DoesNotExist:
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
domain = resolve_email_to_domain(username)
realm = get_realm(domain)
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
# No need to check for an inactive user since they don't exist yet
if realm.deactivated:
raise ZulipLDAPException("Realm has been deactivated")
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
full_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["full_name"]
Fix construction of names in LDAP integration. Previously these users' names were being set to 1-element lists containing the name, not the names themselves. This bug caused existing users to have their people module state (e.g. @-mentions, etc.) to break whenever a new user joined. Fixes #222.
2015-10-26 17:17:51 +01:00
short_name = full_name = ldap_user.attrs[full_name_attr][0]
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
if "short_name" in settings.AUTH_LDAP_USER_ATTR_MAP:
short_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["short_name"]
Fix construction of names in LDAP integration. Previously these users' names were being set to 1-element lists containing the name, not the names themselves. This bug caused existing users to have their people module state (e.g. @-mentions, etc.) to break whenever a new user joined. Fixes #222.
2015-10-26 17:17:51 +01:00
short_name = ldap_user.attrs[short_name_attr][0]
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
user_profile = do_create_user(username, None, realm, full_name, short_name)
return user_profile, False
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
# Just like ZulipLDAPAuthBackend, but doesn't let you log in.
class ZulipLDAPUserPopulator(ZulipLDAPAuthBackendBase):
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
def authenticate(self, username, password):
return None
Add a new dev login page for logging in without a password on the dev VM. (imported from commit ac8f2504771c9907b7e92dc91cec5f7220ce951b)
2015-08-19 02:58:20 +02:00
class DevAuthBackend(ZulipAuthMixin):
# Allow logging in as any user without a password.
# This is used for convenience when developing Zulip.
Add passwordless login for mobile app development. [Tweaked by tabbott to rename API to explicitly support not just Android].
2016-06-01 02:28:27 +02:00
def authenticate(self, username, return_data=None):
return common_get_active_user_by_email(username, return_data=return_data)