2016-08-01 13:06:35 +02:00
|
|
|
import logging
|
2017-03-03 19:01:52 +01:00
|
|
|
from typing import Any, Dict, List, Set, Tuple, Optional, Text
|
2016-08-01 13:06:35 +02:00
|
|
|
|
2017-10-24 17:59:39 +02:00
|
|
|
from apiclient.sample_tools import client as googleapiclient
|
|
|
|
from django_auth_ldap.backend import LDAPBackend, _LDAPUser
|
|
|
|
import django.contrib.auth
|
2013-11-04 23:16:46 +01:00
|
|
|
from django.contrib.auth.backends import RemoteUserBackend
|
2013-11-21 01:30:20 +01:00
|
|
|
from django.conf import settings
|
2017-10-24 17:59:39 +02:00
|
|
|
from django.http import HttpResponse
|
2014-01-10 23:48:05 +01:00
|
|
|
from oauth2client.crypt import AppIdentityError
|
2017-01-21 16:52:59 +01:00
|
|
|
from social_core.backends.github import GithubOAuth2, GithubOrganizationOAuth2, \
|
2016-08-01 13:06:35 +02:00
|
|
|
GithubTeamOAuth2
|
2017-11-17 07:53:52 +01:00
|
|
|
from social_core.utils import handle_http_errors
|
2017-03-07 08:32:40 +01:00
|
|
|
from social_core.exceptions import AuthFailed, SocialAuthBaseException
|
2017-03-24 10:48:52 +01:00
|
|
|
from social_django.models import DjangoStorage
|
|
|
|
from social_django.strategy import DjangoStrategy
|
|
|
|
|
2017-10-24 17:59:39 +02:00
|
|
|
from zerver.lib.actions import do_create_user
|
|
|
|
from zerver.lib.request import JsonableError
|
2017-10-20 02:53:24 +02:00
|
|
|
from zerver.lib.subdomains import user_matches_subdomain, get_subdomain
|
2017-10-24 17:59:39 +02:00
|
|
|
from zerver.lib.users import check_full_name
|
|
|
|
from zerver.models import UserProfile, Realm, get_user_profile_by_id, \
|
|
|
|
get_user_profile_by_email, remote_user_to_email, email_to_username, \
|
2017-11-17 22:43:16 +01:00
|
|
|
get_realm, get_user
|
2017-10-24 17:59:39 +02:00
|
|
|
|
2016-11-06 23:44:45 +01:00
|
|
|
def pad_method_dict(method_dict):
|
2016-12-08 05:06:51 +01:00
|
|
|
# type: (Dict[Text, bool]) -> Dict[Text, bool]
|
2016-11-06 23:44:45 +01:00
|
|
|
"""Pads an authentication methods dict to contain all auth backends
|
|
|
|
supported by the software, regardless of whether they are
|
|
|
|
configured on this server"""
|
|
|
|
for key in AUTH_BACKEND_NAME_MAP:
|
|
|
|
if key not in method_dict:
|
|
|
|
method_dict[key] = False
|
|
|
|
return method_dict
|
|
|
|
|
|
|
|
def auth_enabled_helper(backends_to_check, realm):
|
2016-12-08 05:06:51 +01:00
|
|
|
# type: (List[Text], Optional[Realm]) -> bool
|
2016-11-02 21:41:10 +01:00
|
|
|
if realm is not None:
|
|
|
|
enabled_method_dict = realm.authentication_methods_dict()
|
|
|
|
pad_method_dict(enabled_method_dict)
|
|
|
|
else:
|
|
|
|
enabled_method_dict = dict((method, True) for method in Realm.AUTHENTICATION_FLAGS)
|
|
|
|
pad_method_dict(enabled_method_dict)
|
2016-11-06 23:44:45 +01:00
|
|
|
for supported_backend in django.contrib.auth.get_backends():
|
|
|
|
for backend_name in backends_to_check:
|
|
|
|
backend = AUTH_BACKEND_NAME_MAP[backend_name]
|
|
|
|
if enabled_method_dict[backend_name] and isinstance(supported_backend, backend):
|
|
|
|
return True
|
2013-11-04 23:42:31 +01:00
|
|
|
return False
|
|
|
|
|
2016-11-07 00:04:59 +01:00
|
|
|
def ldap_auth_enabled(realm=None):
|
|
|
|
# type: (Optional[Realm]) -> bool
|
2017-11-02 08:05:56 +01:00
|
|
|
return auth_enabled_helper(['LDAP'], realm)
|
2016-11-07 00:04:59 +01:00
|
|
|
|
|
|
|
def email_auth_enabled(realm=None):
|
|
|
|
# type: (Optional[Realm]) -> bool
|
2017-11-02 08:05:56 +01:00
|
|
|
return auth_enabled_helper(['Email'], realm)
|
2016-11-07 00:04:59 +01:00
|
|
|
|
2016-11-06 23:44:45 +01:00
|
|
|
def password_auth_enabled(realm=None):
|
|
|
|
# type: (Optional[Realm]) -> bool
|
2016-11-07 00:04:59 +01:00
|
|
|
return ldap_auth_enabled(realm) or email_auth_enabled(realm)
|
2015-08-19 02:58:20 +02:00
|
|
|
|
2016-11-06 23:44:45 +01:00
|
|
|
def dev_auth_enabled(realm=None):
|
|
|
|
# type: (Optional[Realm]) -> bool
|
2017-11-02 08:05:56 +01:00
|
|
|
return auth_enabled_helper(['Dev'], realm)
|
2016-11-06 23:44:45 +01:00
|
|
|
|
|
|
|
def google_auth_enabled(realm=None):
|
|
|
|
# type: (Optional[Realm]) -> bool
|
2017-11-02 08:05:56 +01:00
|
|
|
return auth_enabled_helper(['Google'], realm)
|
2016-11-06 23:44:45 +01:00
|
|
|
|
|
|
|
def github_auth_enabled(realm=None):
|
|
|
|
# type: (Optional[Realm]) -> bool
|
2017-11-02 08:05:56 +01:00
|
|
|
return auth_enabled_helper(['GitHub'], realm)
|
2015-08-19 02:58:20 +02:00
|
|
|
|
2017-04-20 21:02:56 +02:00
|
|
|
def any_oauth_backend_enabled(realm=None):
|
|
|
|
# type: (Optional[Realm]) -> bool
|
|
|
|
"""Used by the login page process to determine whether to show the
|
|
|
|
'OR' for login with Google"""
|
2017-11-02 08:05:56 +01:00
|
|
|
return auth_enabled_helper(['GitHub', 'Google'], realm)
|
2017-04-20 21:02:56 +02:00
|
|
|
|
2017-09-15 16:59:03 +02:00
|
|
|
def require_email_format_usernames(realm=None):
|
|
|
|
# type: (Optional[Realm]) -> bool
|
|
|
|
if ldap_auth_enabled(realm):
|
|
|
|
if settings.LDAP_EMAIL_ATTR or settings.LDAP_APPEND_DOMAIN:
|
|
|
|
return False
|
|
|
|
return True
|
|
|
|
|
2017-11-17 22:43:16 +01:00
|
|
|
def common_get_active_user(email: str, realm: Realm,
|
|
|
|
return_data: Dict[str, Any]=None) -> Optional[UserProfile]:
|
|
|
|
try:
|
|
|
|
user_profile = get_user(email, realm)
|
|
|
|
except UserProfile.DoesNotExist:
|
|
|
|
# If the user doesn't have an account in the target realm, we
|
|
|
|
# check whether they might have an account in another realm,
|
|
|
|
# and if so, provide a helpful error message via
|
|
|
|
# `invalid_subdomain`.
|
|
|
|
try:
|
|
|
|
user_profile = get_user_profile_by_email(email)
|
|
|
|
except UserProfile.DoesNotExist:
|
|
|
|
return None
|
|
|
|
if return_data is not None:
|
|
|
|
return_data['invalid_subdomain'] = True
|
|
|
|
return None
|
|
|
|
if not user_profile.is_active:
|
|
|
|
if return_data is not None:
|
|
|
|
return_data['inactive_user'] = True
|
|
|
|
return None
|
|
|
|
if user_profile.realm.deactivated:
|
|
|
|
if return_data is not None:
|
|
|
|
return_data['inactive_realm'] = True
|
|
|
|
return None
|
|
|
|
return user_profile
|
|
|
|
|
2017-11-05 11:31:53 +01:00
|
|
|
class ZulipAuthMixin:
|
2013-11-01 20:22:12 +01:00
|
|
|
def get_user(self, user_profile_id):
|
2016-08-08 09:38:50 +02:00
|
|
|
# type: (int) -> Optional[UserProfile]
|
2013-11-01 20:22:12 +01:00
|
|
|
""" Get a UserProfile object from the user_profile_id. """
|
|
|
|
try:
|
|
|
|
return get_user_profile_by_id(user_profile_id)
|
|
|
|
except UserProfile.DoesNotExist:
|
|
|
|
return None
|
|
|
|
|
2016-07-26 12:12:01 +02:00
|
|
|
class SocialAuthMixin(ZulipAuthMixin):
|
2017-06-04 11:38:23 +02:00
|
|
|
auth_backend_name = None # type: Text
|
2016-11-07 00:09:21 +01:00
|
|
|
|
2016-08-08 09:45:52 +02:00
|
|
|
def get_email_address(self, *args, **kwargs):
|
2016-12-08 05:06:51 +01:00
|
|
|
# type: (*Any, **Any) -> Text
|
2016-07-26 12:12:01 +02:00
|
|
|
raise NotImplementedError
|
|
|
|
|
2016-08-08 09:45:52 +02:00
|
|
|
def get_full_name(self, *args, **kwargs):
|
2016-12-08 05:06:51 +01:00
|
|
|
# type: (*Any, **Any) -> Text
|
2016-07-26 12:12:01 +02:00
|
|
|
raise NotImplementedError
|
|
|
|
|
2017-11-17 07:53:52 +01:00
|
|
|
def get_authenticated_user(self, *args: Any, **kwargs: Any) -> Optional[UserProfile]:
|
|
|
|
raise NotImplementedError
|
|
|
|
|
|
|
|
@handle_http_errors
|
|
|
|
def do_auth(self, *args: Any, **kwargs: Any) -> Optional[HttpResponse]:
|
|
|
|
"""
|
|
|
|
This function is called once the authentication workflow is complete.
|
|
|
|
We override this function to:
|
|
|
|
1. Inject `return_data` and `realm_subdomain` kwargs. These will be
|
|
|
|
used by `authenticate()` functions of backends to make the
|
|
|
|
decision.
|
|
|
|
2. Call the proper authentication function to get the user in
|
|
|
|
`get_authenticated_user`.
|
|
|
|
|
|
|
|
The actual decision on authentication is done in
|
|
|
|
SocialAuthMixin._common_authenticate().
|
|
|
|
|
|
|
|
SocialAuthMixin.get_authenticated_user is expected to be overridden by
|
|
|
|
the derived class to add custom logic for authenticating the user and
|
|
|
|
returning the user.
|
|
|
|
"""
|
|
|
|
kwargs['return_data'] = {}
|
|
|
|
kwargs['realm_subdomain'] = get_subdomain(self.strategy.request) # type: ignore # `strategy` comes from Python Social Auth.
|
|
|
|
user_profile = self.get_authenticated_user(*args, **kwargs)
|
|
|
|
return self.process_do_auth(user_profile, *args, **kwargs)
|
|
|
|
|
2017-03-24 10:48:52 +01:00
|
|
|
def authenticate(self,
|
2017-11-21 20:47:26 +01:00
|
|
|
realm_subdomain: Optional[Text]='',
|
|
|
|
storage: Optional[DjangoStorage]=None,
|
|
|
|
strategy: Optional[DjangoStrategy]=None,
|
|
|
|
user: Optional[Dict[str, Any]]=None,
|
|
|
|
return_data: Optional[Dict[str, Any]]=None,
|
|
|
|
response: Optional[Dict[str, Any]]=None,
|
|
|
|
backend: Optional[GithubOAuth2]=None
|
|
|
|
) -> Optional[UserProfile]:
|
2017-03-24 10:48:52 +01:00
|
|
|
"""
|
|
|
|
Django decides which `authenticate` to call by inspecting the
|
|
|
|
arguments. So it's better to create `authenticate` function
|
|
|
|
with well defined arguments.
|
|
|
|
|
|
|
|
Keeping this function separate so that it can easily be
|
|
|
|
overridden.
|
|
|
|
"""
|
|
|
|
if user is None:
|
|
|
|
user = {}
|
|
|
|
|
2017-10-02 08:32:09 +02:00
|
|
|
assert return_data is not None
|
|
|
|
assert response is not None
|
2017-03-24 10:48:52 +01:00
|
|
|
|
|
|
|
return self._common_authenticate(self,
|
|
|
|
realm_subdomain=realm_subdomain,
|
|
|
|
storage=storage,
|
|
|
|
strategy=strategy,
|
|
|
|
user=user,
|
|
|
|
return_data=return_data,
|
|
|
|
response=response,
|
|
|
|
backend=backend)
|
|
|
|
|
|
|
|
def _common_authenticate(self, *args, **kwargs):
|
2016-08-08 09:38:50 +02:00
|
|
|
# type: (*Any, **Any) -> Optional[UserProfile]
|
2016-07-26 12:12:01 +02:00
|
|
|
return_data = kwargs.get('return_data', {})
|
|
|
|
|
|
|
|
email_address = self.get_email_address(*args, **kwargs)
|
|
|
|
if not email_address:
|
2017-03-23 06:02:07 +01:00
|
|
|
return_data['invalid_email'] = True
|
2016-07-26 12:12:01 +02:00
|
|
|
return None
|
|
|
|
|
|
|
|
try:
|
|
|
|
user_profile = get_user_profile_by_email(email_address)
|
|
|
|
except UserProfile.DoesNotExist:
|
|
|
|
return_data["valid_attestation"] = True
|
|
|
|
return None
|
|
|
|
|
|
|
|
if not user_profile.is_active:
|
|
|
|
return_data["inactive_user"] = True
|
|
|
|
return None
|
|
|
|
|
|
|
|
if user_profile.realm.deactivated:
|
|
|
|
return_data["inactive_realm"] = True
|
|
|
|
return None
|
|
|
|
|
2017-10-20 02:53:24 +02:00
|
|
|
if not user_matches_subdomain(kwargs.get("realm_subdomain"),
|
|
|
|
user_profile):
|
2016-07-19 14:35:08 +02:00
|
|
|
return_data["invalid_subdomain"] = True
|
|
|
|
return None
|
|
|
|
|
2016-11-07 00:09:21 +01:00
|
|
|
if not auth_enabled_helper([self.auth_backend_name], user_profile.realm):
|
|
|
|
return_data["auth_backend_disabled"] = True
|
|
|
|
return None
|
|
|
|
|
2016-07-26 12:12:01 +02:00
|
|
|
return user_profile
|
|
|
|
|
|
|
|
def process_do_auth(self, user_profile, *args, **kwargs):
|
2016-08-08 09:38:50 +02:00
|
|
|
# type: (UserProfile, *Any, **Any) -> Optional[HttpResponse]
|
2017-03-23 05:01:39 +01:00
|
|
|
# These functions need to be imported here to avoid cyclic
|
2016-07-26 12:12:01 +02:00
|
|
|
# dependency.
|
2016-12-01 13:10:59 +01:00
|
|
|
from zerver.views.auth import (login_or_register_remote_user,
|
2017-10-27 00:27:59 +02:00
|
|
|
redirect_to_subdomain_login_url,
|
|
|
|
redirect_and_log_into_subdomain)
|
2016-07-26 12:12:01 +02:00
|
|
|
|
|
|
|
return_data = kwargs.get('return_data', {})
|
|
|
|
|
|
|
|
inactive_user = return_data.get('inactive_user')
|
|
|
|
inactive_realm = return_data.get('inactive_realm')
|
2016-10-07 11:10:21 +02:00
|
|
|
invalid_subdomain = return_data.get('invalid_subdomain')
|
2017-03-23 06:02:07 +01:00
|
|
|
invalid_email = return_data.get('invalid_email')
|
2016-07-26 12:12:01 +02:00
|
|
|
|
2017-03-24 11:00:58 +01:00
|
|
|
if inactive_user or inactive_realm:
|
2017-03-23 06:02:07 +01:00
|
|
|
# Redirect to login page. We can't send to registration
|
2017-03-24 11:00:58 +01:00
|
|
|
# workflow with these errors. We will redirect to login page.
|
2016-07-26 12:12:01 +02:00
|
|
|
return None
|
|
|
|
|
2017-03-24 11:00:58 +01:00
|
|
|
if invalid_email:
|
|
|
|
# In case of invalid email, we will end up on registration page.
|
|
|
|
# This seems better than redirecting to login page.
|
|
|
|
logging.warning(
|
|
|
|
"{} got invalid email argument.".format(self.auth_backend_name)
|
|
|
|
)
|
2017-03-23 06:02:07 +01:00
|
|
|
|
2016-12-01 13:10:59 +01:00
|
|
|
strategy = self.strategy # type: ignore # This comes from Python Social Auth.
|
|
|
|
request = strategy.request
|
2016-07-26 12:12:01 +02:00
|
|
|
email_address = self.get_email_address(*args, **kwargs)
|
|
|
|
full_name = self.get_full_name(*args, **kwargs)
|
2017-05-05 19:54:36 +02:00
|
|
|
is_signup = strategy.session_get('is_signup') == '1'
|
2016-07-26 12:12:01 +02:00
|
|
|
|
2017-09-30 00:30:55 +02:00
|
|
|
mobile_flow_otp = strategy.session_get('mobile_flow_otp')
|
2017-10-26 02:48:21 +02:00
|
|
|
subdomain = strategy.session_get('subdomain')
|
|
|
|
if not subdomain:
|
|
|
|
# At least in our tests, this can be None; and it's not
|
|
|
|
# clear what the exact semantics of `session_get` are or
|
|
|
|
# what values it might return. Historically we treated
|
|
|
|
# any falsy value here as the root domain, so defensively
|
|
|
|
# continue that behavior.
|
|
|
|
subdomain = Realm.SUBDOMAIN_FOR_ROOT_DOMAIN
|
|
|
|
if (subdomain == Realm.SUBDOMAIN_FOR_ROOT_DOMAIN
|
|
|
|
or mobile_flow_otp is not None):
|
2016-12-01 13:10:59 +01:00
|
|
|
return login_or_register_remote_user(request, email_address,
|
|
|
|
user_profile, full_name,
|
2017-05-05 19:54:36 +02:00
|
|
|
invalid_subdomain=bool(invalid_subdomain),
|
2017-09-30 00:30:55 +02:00
|
|
|
mobile_flow_otp=mobile_flow_otp,
|
2017-05-05 19:54:36 +02:00
|
|
|
is_signup=is_signup)
|
2017-10-20 03:27:53 +02:00
|
|
|
realm = get_realm(subdomain)
|
|
|
|
if realm is None:
|
2016-12-01 13:10:59 +01:00
|
|
|
return redirect_to_subdomain_login_url()
|
2017-05-05 19:54:36 +02:00
|
|
|
return redirect_and_log_into_subdomain(realm, full_name, email_address,
|
|
|
|
is_signup=is_signup)
|
2016-07-26 12:12:01 +02:00
|
|
|
|
2017-02-28 11:58:03 +01:00
|
|
|
def auth_complete(self, *args, **kwargs):
|
|
|
|
# type: (*Any, **Any) -> Optional[HttpResponse]
|
2017-03-23 05:46:10 +01:00
|
|
|
"""
|
|
|
|
Returning `None` from this function will redirect the browser
|
|
|
|
to the login page.
|
|
|
|
"""
|
2017-02-28 11:58:03 +01:00
|
|
|
try:
|
2017-10-12 08:05:21 +02:00
|
|
|
# Call the auth_complete method of social_core.backends.oauth.BaseOAuth2
|
2017-10-27 08:28:23 +02:00
|
|
|
return super().auth_complete(*args, **kwargs) # type: ignore # monkey-patching
|
2017-02-28 11:58:03 +01:00
|
|
|
except AuthFailed:
|
|
|
|
return None
|
2017-03-07 08:32:40 +01:00
|
|
|
except SocialAuthBaseException as e:
|
2017-10-13 08:26:50 +02:00
|
|
|
logging.warning(str(e))
|
2017-03-07 08:32:40 +01:00
|
|
|
return None
|
2017-02-28 11:58:03 +01:00
|
|
|
|
2013-11-21 04:57:23 +01:00
|
|
|
class ZulipDummyBackend(ZulipAuthMixin):
|
|
|
|
"""
|
2017-11-17 22:43:16 +01:00
|
|
|
Used when we want to log you in without checking any
|
|
|
|
authentication (i.e. new user registration or when otherwise
|
|
|
|
authentication has already been checked earlier in the process).
|
2013-11-21 04:57:23 +01:00
|
|
|
"""
|
2016-11-29 07:22:02 +01:00
|
|
|
|
2017-11-17 22:43:16 +01:00
|
|
|
def authenticate(self, username: Optional[str]=None, realm: Optional[Realm]=None,
|
2017-11-21 20:47:26 +01:00
|
|
|
use_dummy_backend: bool=False,
|
2017-11-17 22:43:16 +01:00
|
|
|
return_data: Dict[str, Any]=None) -> Optional[UserProfile]:
|
2013-11-21 04:57:23 +01:00
|
|
|
if use_dummy_backend:
|
2017-11-17 22:43:16 +01:00
|
|
|
# These are kwargs only for readability; they should never be None
|
|
|
|
assert username is not None
|
|
|
|
assert realm is not None
|
|
|
|
return common_get_active_user(username, realm, return_data)
|
2013-11-21 04:57:23 +01:00
|
|
|
return None
|
|
|
|
|
2013-11-01 20:22:12 +01:00
|
|
|
class EmailAuthBackend(ZulipAuthMixin):
|
2013-08-06 22:51:47 +02:00
|
|
|
"""
|
|
|
|
Email Authentication Backend
|
|
|
|
|
|
|
|
Allows a user to sign in using an email/password pair rather than
|
|
|
|
a username/password pair.
|
|
|
|
"""
|
2016-11-29 07:22:02 +01:00
|
|
|
|
2017-11-21 20:47:26 +01:00
|
|
|
def authenticate(self, username: Optional[str]=None, password: Optional[str]=None,
|
2017-11-17 23:56:45 +01:00
|
|
|
realm: Optional[Realm]=None,
|
2017-11-21 20:47:26 +01:00
|
|
|
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
|
2013-08-06 22:51:47 +02:00
|
|
|
""" Authenticate a user based on email address as the user name. """
|
|
|
|
if username is None or password is None:
|
2017-11-21 21:32:42 +01:00
|
|
|
# Because of how we structure our auth calls to always
|
|
|
|
# specify which backend to use when not using
|
|
|
|
# EmailAuthBackend, username and password should always be set.
|
|
|
|
raise AssertionError("Invalid call to authenticate for EmailAuthBackend")
|
2017-11-17 23:56:45 +01:00
|
|
|
if realm is None:
|
|
|
|
return None
|
|
|
|
if not password_auth_enabled(realm):
|
2016-04-21 21:07:43 +02:00
|
|
|
if return_data is not None:
|
|
|
|
return_data['password_auth_disabled'] = True
|
2016-04-21 07:19:08 +02:00
|
|
|
return None
|
2017-11-17 23:56:45 +01:00
|
|
|
if not email_auth_enabled(realm):
|
2016-11-07 00:04:59 +01:00
|
|
|
if return_data is not None:
|
|
|
|
return_data['email_auth_disabled'] = True
|
|
|
|
return None
|
2017-11-21 21:39:56 +01:00
|
|
|
|
2017-11-21 21:42:21 +01:00
|
|
|
user_profile = common_get_active_user(username, realm, return_data=return_data)
|
2017-11-21 21:39:56 +01:00
|
|
|
if user_profile is None:
|
|
|
|
return None
|
2016-04-21 07:19:08 +02:00
|
|
|
if user_profile.check_password(password):
|
|
|
|
return user_profile
|
2016-07-19 14:35:08 +02:00
|
|
|
return None
|
2013-08-06 22:51:47 +02:00
|
|
|
|
2014-01-10 23:48:05 +01:00
|
|
|
class GoogleMobileOauth2Backend(ZulipAuthMixin):
|
|
|
|
"""
|
2017-11-21 21:29:09 +01:00
|
|
|
Google Apps authentication for the legacy Android app.
|
|
|
|
DummyAuthBackend is what's actually used for our modern Google auth,
|
|
|
|
both for web and mobile (the latter via the mobile_flow_otp feature).
|
2014-01-10 23:48:05 +01:00
|
|
|
|
|
|
|
Allows a user to sign in using a Google-issued OAuth2 token.
|
|
|
|
|
|
|
|
Ref:
|
|
|
|
https://developers.google.com/+/mobile/android/sign-in#server-side_access_for_your_app
|
|
|
|
https://developers.google.com/accounts/docs/CrossClientAuth#offlineAccess
|
|
|
|
"""
|
2016-11-29 07:22:02 +01:00
|
|
|
|
2017-11-21 21:23:07 +01:00
|
|
|
def authenticate(self, google_oauth2_token: str=None, realm: Optional[Realm]=None,
|
2017-11-21 20:47:26 +01:00
|
|
|
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
|
2017-11-21 21:23:07 +01:00
|
|
|
if realm is None:
|
|
|
|
return None
|
2017-03-24 08:45:21 +01:00
|
|
|
if return_data is None:
|
|
|
|
return_data = {}
|
|
|
|
|
2017-11-21 21:23:41 +01:00
|
|
|
if not google_auth_enabled(realm=realm):
|
|
|
|
return_data["google_auth_disabled"] = True
|
|
|
|
return None
|
|
|
|
|
2014-01-10 23:48:05 +01:00
|
|
|
try:
|
|
|
|
token_payload = googleapiclient.verify_id_token(google_oauth2_token, settings.GOOGLE_CLIENT_ID)
|
|
|
|
except AppIdentityError:
|
|
|
|
return None
|
2017-11-21 21:25:58 +01:00
|
|
|
|
|
|
|
if token_payload["email_verified"] not in (True, "true"):
|
2014-01-10 23:48:05 +01:00
|
|
|
return_data["valid_attestation"] = False
|
2017-03-03 20:30:49 +01:00
|
|
|
return None
|
2014-01-10 23:48:05 +01:00
|
|
|
|
2017-11-21 21:25:58 +01:00
|
|
|
return_data["valid_attestation"] = True
|
2017-11-21 21:26:41 +01:00
|
|
|
return common_get_active_user(token_payload["email"], realm, return_data)
|
2017-11-21 21:25:58 +01:00
|
|
|
|
2013-11-04 23:16:46 +01:00
|
|
|
class ZulipRemoteUserBackend(RemoteUserBackend):
|
|
|
|
create_unknown_user = False
|
2016-11-29 07:22:02 +01:00
|
|
|
|
2017-11-21 20:47:26 +01:00
|
|
|
def authenticate(self, remote_user: Optional[str],
|
2017-11-17 23:14:08 +01:00
|
|
|
realm: Optional[Realm]=None) -> Optional[UserProfile]:
|
2017-11-21 21:00:37 +01:00
|
|
|
assert remote_user is not None
|
2017-11-17 23:14:08 +01:00
|
|
|
if realm is None:
|
|
|
|
return None
|
2017-11-21 21:04:04 +01:00
|
|
|
if not auth_enabled_helper(["RemoteUser"], realm):
|
|
|
|
return None
|
2013-11-04 23:16:46 +01:00
|
|
|
|
|
|
|
email = remote_user_to_email(remote_user)
|
2017-11-21 21:04:52 +01:00
|
|
|
return common_get_active_user(email, realm)
|
2015-02-06 18:30:28 +01:00
|
|
|
|
2017-09-27 00:56:34 +02:00
|
|
|
class ZulipLDAPException(_LDAPUser.AuthenticationFailed):
|
2015-10-13 23:08:05 +02:00
|
|
|
pass
|
|
|
|
|
2017-09-22 10:58:12 +02:00
|
|
|
class ZulipLDAPConfigurationError(Exception):
|
|
|
|
pass
|
|
|
|
|
2015-10-13 23:08:05 +02:00
|
|
|
class ZulipLDAPAuthBackendBase(ZulipAuthMixin, LDAPBackend):
|
|
|
|
# Don't use Django LDAP's permissions functions
|
|
|
|
def has_perm(self, user, perm, obj=None):
|
2017-05-24 04:21:29 +02:00
|
|
|
# type: (Optional[UserProfile], Any, Any) -> bool
|
2016-08-08 09:38:50 +02:00
|
|
|
# Using Any type is safe because we are not doing anything with
|
|
|
|
# the arguments.
|
2015-10-13 23:08:05 +02:00
|
|
|
return False
|
2016-11-29 07:22:02 +01:00
|
|
|
|
2015-10-13 23:08:05 +02:00
|
|
|
def has_module_perms(self, user, app_label):
|
2017-05-24 04:21:29 +02:00
|
|
|
# type: (Optional[UserProfile], Optional[str]) -> bool
|
2015-10-13 23:08:05 +02:00
|
|
|
return False
|
2016-11-29 07:22:02 +01:00
|
|
|
|
2015-10-13 23:08:05 +02:00
|
|
|
def get_all_permissions(self, user, obj=None):
|
2017-11-02 06:36:10 +01:00
|
|
|
# type: (Optional[UserProfile], Any) -> Set[Any]
|
2016-08-08 09:38:50 +02:00
|
|
|
# Using Any type is safe because we are not doing anything with
|
2017-11-02 06:36:10 +01:00
|
|
|
# the arguments and always return empty set.
|
2015-10-13 23:08:05 +02:00
|
|
|
return set()
|
2016-11-29 07:22:02 +01:00
|
|
|
|
2015-10-13 23:08:05 +02:00
|
|
|
def get_group_permissions(self, user, obj=None):
|
2017-11-02 06:36:10 +01:00
|
|
|
# type: (Optional[UserProfile], Any) -> Set[Any]
|
2016-08-08 09:38:50 +02:00
|
|
|
# Using Any type is safe because we are not doing anything with
|
2017-11-02 06:36:10 +01:00
|
|
|
# the arguments and always return empty set.
|
2015-10-13 23:08:05 +02:00
|
|
|
return set()
|
|
|
|
|
2013-11-21 01:30:20 +01:00
|
|
|
def django_to_ldap_username(self, username):
|
2016-12-08 05:06:51 +01:00
|
|
|
# type: (Text) -> Text
|
2015-10-13 22:57:38 +02:00
|
|
|
if settings.LDAP_APPEND_DOMAIN:
|
2015-10-13 23:08:05 +02:00
|
|
|
if not username.endswith("@" + settings.LDAP_APPEND_DOMAIN):
|
|
|
|
raise ZulipLDAPException("Username does not match LDAP domain.")
|
2013-11-21 01:30:20 +01:00
|
|
|
return email_to_username(username)
|
|
|
|
return username
|
2016-11-29 07:22:02 +01:00
|
|
|
|
2013-11-21 01:30:20 +01:00
|
|
|
def ldap_to_django_username(self, username):
|
2016-08-08 09:38:50 +02:00
|
|
|
# type: (str) -> str
|
2015-10-13 22:57:38 +02:00
|
|
|
if settings.LDAP_APPEND_DOMAIN:
|
2013-11-25 17:57:30 +01:00
|
|
|
return "@".join((username, settings.LDAP_APPEND_DOMAIN))
|
2013-11-21 01:30:20 +01:00
|
|
|
return username
|
|
|
|
|
2015-10-13 23:08:05 +02:00
|
|
|
class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):
|
2017-09-22 10:58:12 +02:00
|
|
|
REALM_IS_NONE_ERROR = 1
|
|
|
|
|
2017-11-17 23:56:45 +01:00
|
|
|
def authenticate(self, username: str, password: str, realm: Optional[Realm]=None,
|
2017-11-21 20:47:26 +01:00
|
|
|
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
|
2017-11-17 23:56:45 +01:00
|
|
|
if realm is None:
|
|
|
|
return None
|
|
|
|
self._realm = realm
|
2017-11-21 21:45:32 +01:00
|
|
|
if not ldap_auth_enabled(realm):
|
|
|
|
return None
|
2017-11-17 23:56:45 +01:00
|
|
|
|
2015-10-13 23:08:05 +02:00
|
|
|
try:
|
|
|
|
username = self.django_to_ldap_username(username)
|
2017-11-21 21:52:34 +01:00
|
|
|
return ZulipLDAPAuthBackendBase.authenticate(self,
|
|
|
|
username=username,
|
|
|
|
password=password)
|
2017-09-27 21:30:53 +02:00
|
|
|
except ZulipLDAPException:
|
2017-10-02 08:32:09 +02:00
|
|
|
return None # nocoverage # TODO: this may no longer be possible
|
2015-10-13 23:08:05 +02:00
|
|
|
|
2013-11-21 01:30:20 +01:00
|
|
|
def get_or_create_user(self, username, ldap_user):
|
2016-08-08 09:38:50 +02:00
|
|
|
# type: (str, _LDAPUser) -> Tuple[UserProfile, bool]
|
2017-09-10 17:25:24 +02:00
|
|
|
|
2017-11-21 21:48:55 +01:00
|
|
|
if settings.LDAP_EMAIL_ATTR is not None:
|
|
|
|
# Get email from ldap attributes.
|
|
|
|
if settings.LDAP_EMAIL_ATTR not in ldap_user.attrs:
|
|
|
|
raise ZulipLDAPException("LDAP user doesn't have the needed %s attribute" % (
|
|
|
|
settings.LDAP_EMAIL_ATTR,))
|
|
|
|
|
|
|
|
username = ldap_user.attrs[settings.LDAP_EMAIL_ATTR][0]
|
2017-09-10 17:25:24 +02:00
|
|
|
|
2017-11-21 21:52:34 +01:00
|
|
|
return_data = {} # type: Dict[str, Any]
|
|
|
|
user_profile = common_get_active_user(username, self._realm, return_data)
|
2017-11-21 21:57:23 +01:00
|
|
|
if user_profile is not None:
|
|
|
|
# An existing user, successfully authed; return it.
|
|
|
|
return user_profile, False
|
|
|
|
|
2017-11-21 21:52:34 +01:00
|
|
|
if return_data.get("inactive_realm"):
|
2017-11-18 01:13:35 +01:00
|
|
|
# This happens if there is a user account in a deactivated realm
|
2017-11-21 21:52:34 +01:00
|
|
|
raise ZulipLDAPException("Realm has been deactivated")
|
|
|
|
if return_data.get("inactive_user"):
|
2017-11-18 01:07:20 +01:00
|
|
|
raise ZulipLDAPException("User has been deactivated")
|
2017-11-21 21:52:34 +01:00
|
|
|
if return_data.get("invalid_subdomain"):
|
|
|
|
# TODO: Implement something in the caller for this to
|
|
|
|
# provide a nice user-facing error message for this
|
|
|
|
# situation (right now it just acts like any other auth
|
|
|
|
# failure).
|
|
|
|
raise ZulipLDAPException("Wrong subdomain")
|
2017-11-18 01:12:05 +01:00
|
|
|
if self._realm.deactivated:
|
2017-11-18 01:13:35 +01:00
|
|
|
# This happens if no account exists, but the realm is
|
|
|
|
# deactivated, so we shouldn't create a new user account
|
2017-11-18 01:12:05 +01:00
|
|
|
raise ZulipLDAPException("Realm has been deactivated")
|
|
|
|
|
2017-11-18 01:13:35 +01:00
|
|
|
# We have valid LDAP credentials; time to create an account.
|
2017-11-18 01:12:05 +01:00
|
|
|
full_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["full_name"]
|
|
|
|
short_name = full_name = ldap_user.attrs[full_name_attr][0]
|
|
|
|
try:
|
|
|
|
full_name = check_full_name(full_name)
|
|
|
|
except JsonableError as e:
|
|
|
|
raise ZulipLDAPException(e.msg)
|
|
|
|
if "short_name" in settings.AUTH_LDAP_USER_ATTR_MAP:
|
|
|
|
short_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["short_name"]
|
|
|
|
short_name = ldap_user.attrs[short_name_attr][0]
|
|
|
|
|
|
|
|
user_profile = do_create_user(username, None, self._realm, full_name, short_name)
|
|
|
|
|
|
|
|
return user_profile, True
|
2013-11-21 01:30:20 +01:00
|
|
|
|
2015-10-13 23:08:05 +02:00
|
|
|
# Just like ZulipLDAPAuthBackend, but doesn't let you log in.
|
|
|
|
class ZulipLDAPUserPopulator(ZulipLDAPAuthBackendBase):
|
2017-11-17 23:56:45 +01:00
|
|
|
def authenticate(self, username: str, password: str, realm: Optional[Realm]=None,
|
2017-11-21 20:47:26 +01:00
|
|
|
return_data: Optional[Dict[str, Any]]=None) -> None:
|
2013-11-21 01:30:20 +01:00
|
|
|
return None
|
2015-08-19 02:58:20 +02:00
|
|
|
|
|
|
|
class DevAuthBackend(ZulipAuthMixin):
|
|
|
|
# Allow logging in as any user without a password.
|
|
|
|
# This is used for convenience when developing Zulip.
|
2017-11-21 21:19:20 +01:00
|
|
|
def authenticate(self, dev_auth_username: Optional[str]=None, realm: Optional[Realm]=None,
|
2017-11-21 20:47:26 +01:00
|
|
|
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
|
2017-11-21 21:13:46 +01:00
|
|
|
assert dev_auth_username is not None
|
2017-11-21 21:19:20 +01:00
|
|
|
if realm is None:
|
|
|
|
return None
|
2017-11-21 21:19:58 +01:00
|
|
|
if not dev_auth_enabled(realm):
|
|
|
|
return None
|
2017-11-21 21:20:44 +01:00
|
|
|
return common_get_active_user(dev_auth_username, realm, return_data=return_data)
|
2016-07-20 13:33:27 +02:00
|
|
|
|
2016-07-29 21:47:14 +02:00
|
|
|
class GitHubAuthBackend(SocialAuthMixin, GithubOAuth2):
|
2017-11-02 08:05:56 +01:00
|
|
|
auth_backend_name = "GitHub"
|
2016-11-07 00:09:21 +01:00
|
|
|
|
2016-07-26 12:12:01 +02:00
|
|
|
def get_email_address(self, *args, **kwargs):
|
2016-12-08 05:06:51 +01:00
|
|
|
# type: (*Any, **Any) -> Optional[Text]
|
2016-07-20 13:33:27 +02:00
|
|
|
try:
|
2016-07-26 12:12:01 +02:00
|
|
|
return kwargs['response']['email']
|
2017-10-02 08:32:09 +02:00
|
|
|
except KeyError: # nocoverage # TODO: investigate
|
2016-07-20 13:33:27 +02:00
|
|
|
return None
|
|
|
|
|
2016-07-26 12:12:01 +02:00
|
|
|
def get_full_name(self, *args, **kwargs):
|
2016-12-08 05:06:51 +01:00
|
|
|
# type: (*Any, **Any) -> Text
|
2017-03-09 09:45:21 +01:00
|
|
|
# In case of any error return an empty string. Name is used by
|
|
|
|
# the registration page to pre-populate the name field. However,
|
|
|
|
# if it is not supplied, our registration process will make sure
|
|
|
|
# that the user enters a valid name.
|
2016-07-20 13:33:27 +02:00
|
|
|
try:
|
2017-03-09 09:45:21 +01:00
|
|
|
name = kwargs['response']['name']
|
2016-07-26 12:12:01 +02:00
|
|
|
except KeyError:
|
2017-03-09 09:45:21 +01:00
|
|
|
name = ''
|
|
|
|
|
|
|
|
if name is None:
|
2016-07-26 12:12:01 +02:00
|
|
|
return ''
|
2016-07-20 13:33:27 +02:00
|
|
|
|
2017-03-09 09:45:21 +01:00
|
|
|
return name
|
|
|
|
|
2017-11-17 07:53:52 +01:00
|
|
|
def get_authenticated_user(self, *args: Any, **kwargs: Any) -> Optional[UserProfile]:
|
2017-03-23 05:46:10 +01:00
|
|
|
"""
|
|
|
|
This function is called once the OAuth2 workflow is complete. We
|
2017-11-17 07:53:52 +01:00
|
|
|
override this function to call the proper `do_auth` function depending
|
|
|
|
on whether we are doing individual, team or organization based GitHub
|
|
|
|
authentication. The actual decision on authentication is done in
|
2017-03-24 10:48:52 +01:00
|
|
|
SocialAuthMixin._common_authenticate().
|
2017-03-23 05:46:10 +01:00
|
|
|
"""
|
2016-08-01 13:06:35 +02:00
|
|
|
user_profile = None
|
|
|
|
|
|
|
|
team_id = settings.SOCIAL_AUTH_GITHUB_TEAM_ID
|
|
|
|
org_name = settings.SOCIAL_AUTH_GITHUB_ORG_NAME
|
|
|
|
|
|
|
|
if (team_id is None and org_name is None):
|
2017-02-28 11:58:03 +01:00
|
|
|
try:
|
|
|
|
user_profile = GithubOAuth2.do_auth(self, *args, **kwargs)
|
|
|
|
except AuthFailed:
|
|
|
|
logging.info("User authentication failed.")
|
|
|
|
user_profile = None
|
2016-08-01 13:06:35 +02:00
|
|
|
|
|
|
|
elif (team_id):
|
|
|
|
backend = GithubTeamOAuth2(self.strategy, self.redirect_uri)
|
|
|
|
try:
|
|
|
|
user_profile = backend.do_auth(*args, **kwargs)
|
|
|
|
except AuthFailed:
|
2017-01-12 03:08:29 +01:00
|
|
|
logging.info("User is not member of GitHub team.")
|
2016-08-01 13:06:35 +02:00
|
|
|
user_profile = None
|
|
|
|
|
|
|
|
elif (org_name):
|
|
|
|
backend = GithubOrganizationOAuth2(self.strategy, self.redirect_uri)
|
|
|
|
try:
|
|
|
|
user_profile = backend.do_auth(*args, **kwargs)
|
|
|
|
except AuthFailed:
|
2017-01-12 03:08:29 +01:00
|
|
|
logging.info("User is not member of GitHub organization.")
|
2016-08-01 13:06:35 +02:00
|
|
|
user_profile = None
|
|
|
|
|
2017-11-17 07:53:52 +01:00
|
|
|
return user_profile
|
2016-11-06 23:44:45 +01:00
|
|
|
|
|
|
|
AUTH_BACKEND_NAME_MAP = {
|
2017-11-02 08:05:56 +01:00
|
|
|
'Dev': DevAuthBackend,
|
|
|
|
'Email': EmailAuthBackend,
|
|
|
|
'GitHub': GitHubAuthBackend,
|
|
|
|
'Google': GoogleMobileOauth2Backend,
|
|
|
|
'LDAP': ZulipLDAPAuthBackend,
|
|
|
|
'RemoteUser': ZulipRemoteUserBackend,
|
2017-06-04 11:38:23 +02:00
|
|
|
} # type: Dict[Text, Any]
|