Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/zproject/backends.py

428 lines
17 KiB
Python
Raw Normal View History

SSO / REMOTE_USER support (imported from commit 4f4fad7af5d3c6099cac95d7708338c182626d72)
2013-11-04 23:16:46 +01:00
from __future__ import absolute_import
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
import logging
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
from typing import Any, Set, Tuple, Optional
from six import text_type
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
SSO / REMOTE_USER support (imported from commit 4f4fad7af5d3c6099cac95d7708338c182626d72)
2013-11-04 23:16:46 +01:00
from django.contrib.auth.backends import RemoteUserBackend
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
from django.conf import settings
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
from django.http import HttpResponse
Disable password change when SSO is the only login option (imported from commit fd1a14237e2d6ea574331ed178bfc0db5beb18c6)
2013-11-04 23:42:31 +01:00
import django.contrib.auth
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
from django_auth_ldap.backend import LDAPBackend, _LDAPUser
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
from zerver.lib.actions import do_create_user
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
from zerver.models import UserProfile, Realm, get_user_profile_by_id, \
get_user_profile_by_email, remote_user_to_email, email_to_username, \
Prevent code from using email domain to determine realm when subdomains. Also removes the intermediate step of going through Realm.domain in the non-subdomains case. Part of a larger project to remove Realm.domain entirely.
2016-11-09 02:40:54 +01:00
get_realm, get_realm_by_email_domain
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
from apiclient.sample_tools import client as googleapiclient
from oauth2client.crypt import AppIdentityError
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
from social.backends.github import GithubOAuth2, GithubOrganizationOAuth2, \
GithubTeamOAuth2
from social.exceptions import AuthFailed
Add GitHub authentication. Fixes: #1042
2016-07-20 13:33:27 +02:00
from django.contrib.auth import authenticate
GitHub: Show error on login page for wrong subdomain. While logging in through GitHub, if the user tries to login to the wrong subdomain then show an appropriate message.
2016-10-07 11:10:21 +02:00
from zerver.lib.utils import check_subdomain, get_subdomain
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
auth: Refactor auth backend enabled checking code.
2016-11-06 23:44:45 +01:00
def pad_method_dict(method_dict):
# type: (Dict[text_type, bool]) -> Dict[text_type, bool]
"""Pads an authentication methods dict to contain all auth backends
supported by the software, regardless of whether they are
configured on this server"""
for key in AUTH_BACKEND_NAME_MAP:
if key not in method_dict:
method_dict[key] = False
return method_dict
def auth_enabled_helper(backends_to_check, realm):
# type: (List[text_type], Optional[Realm]) -> bool
auth: Make supported authentication backends a bitfield on realm. This makes it possible to configure only certain authentication methods to be enabled on a per-realm basis. Note that the authentication_methods_dict function (which checks what backends are supported on the realm) requires an in function import due to a circular dependency.
2016-11-02 21:41:10 +01:00
if realm is not None:
enabled_method_dict = realm.authentication_methods_dict()
pad_method_dict(enabled_method_dict)
else:
enabled_method_dict = dict((method, True) for method in Realm.AUTHENTICATION_FLAGS)
pad_method_dict(enabled_method_dict)
auth: Refactor auth backend enabled checking code.
2016-11-06 23:44:45 +01:00
for supported_backend in django.contrib.auth.get_backends():
for backend_name in backends_to_check:
backend = AUTH_BACKEND_NAME_MAP[backend_name]
if enabled_method_dict[backend_name] and isinstance(supported_backend, backend):
return True
Disable password change when SSO is the only login option (imported from commit fd1a14237e2d6ea574331ed178bfc0db5beb18c6)
2013-11-04 23:42:31 +01:00
return False
auth: Separate email_auth_enabled from ldap_auth_enabled.
2016-11-07 00:04:59 +01:00
def ldap_auth_enabled(realm=None):
# type: (Optional[Realm]) -> bool
return auth_enabled_helper([u'LDAP'], realm)
def email_auth_enabled(realm=None):
# type: (Optional[Realm]) -> bool
return auth_enabled_helper([u'Email'], realm)
auth: Refactor auth backend enabled checking code.
2016-11-06 23:44:45 +01:00
def password_auth_enabled(realm=None):
# type: (Optional[Realm]) -> bool
auth: Separate email_auth_enabled from ldap_auth_enabled.
2016-11-07 00:04:59 +01:00
return ldap_auth_enabled(realm) or email_auth_enabled(realm)
Add a new dev login page for logging in without a password on the dev VM. (imported from commit ac8f2504771c9907b7e92dc91cec5f7220ce951b)
2015-08-19 02:58:20 +02:00
auth: Refactor auth backend enabled checking code.
2016-11-06 23:44:45 +01:00
def dev_auth_enabled(realm=None):
# type: (Optional[Realm]) -> bool
return auth_enabled_helper([u'Dev'], realm)
def google_auth_enabled(realm=None):
# type: (Optional[Realm]) -> bool
return auth_enabled_helper([u'Google'], realm)
def github_auth_enabled(realm=None):
# type: (Optional[Realm]) -> bool
return auth_enabled_helper([u'GitHub'], realm)
Add a new dev login page for logging in without a password on the dev VM. (imported from commit ac8f2504771c9907b7e92dc91cec5f7220ce951b)
2015-08-19 02:58:20 +02:00
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
def common_get_active_user_by_email(email, return_data=None):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (text_type, Optional[Dict[str, Any]]) -> Optional[UserProfile]
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
try:
user_profile = get_user_profile_by_email(email)
except UserProfile.DoesNotExist:
return None
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
if not user_profile.is_active:
if return_data is not None:
return_data['inactive_user'] = True
return None
if user_profile.realm.deactivated:
if return_data is not None:
return_data['inactive_realm'] = True
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
return None
return user_profile
Factor out get_user in zproject/backends.py (imported from commit d60b5440722ed596ffbcb81086b2f62d535288dd)
2013-11-01 20:22:12 +01:00
class ZulipAuthMixin(object):
def get_user(self, user_profile_id):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (int) -> Optional[UserProfile]
Factor out get_user in zproject/backends.py (imported from commit d60b5440722ed596ffbcb81086b2f62d535288dd)
2013-11-01 20:22:12 +01:00
""" Get a UserProfile object from the user_profile_id. """
try:
return get_user_profile_by_id(user_profile_id)
except UserProfile.DoesNotExist:
return None
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
class SocialAuthMixin(ZulipAuthMixin):
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
auth_backend_name = None # type: text_type
Add *args and **kwargs to functions. Arguments are added to: - SocialAuthMixin.get_email_address - SocialAuthMixin.get_full_name
2016-08-08 09:45:52 +02:00
def get_email_address(self, *args, **kwargs):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (*Any, **Any) -> text_type
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
raise NotImplementedError
Add *args and **kwargs to functions. Arguments are added to: - SocialAuthMixin.get_email_address - SocialAuthMixin.get_full_name
2016-08-08 09:45:52 +02:00
def get_full_name(self, *args, **kwargs):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (*Any, **Any) -> text_type
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
raise NotImplementedError
def authenticate(self, *args, **kwargs):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (*Any, **Any) -> Optional[UserProfile]
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
return_data = kwargs.get('return_data', {})
email_address = self.get_email_address(*args, **kwargs)
if not email_address:
return None
try:
user_profile = get_user_profile_by_email(email_address)
except UserProfile.DoesNotExist:
return_data["valid_attestation"] = True
return None
if not user_profile.is_active:
return_data["inactive_user"] = True
return None
if user_profile.realm.deactivated:
return_data["inactive_realm"] = True
return None
Add option for hosting each realm on its own subdomain. This adds support for running a Zulip production server with each realm on its own unique subdomain, e.g. https://realm_name.example.com. This patch includes a ton of important features: * Configuring the Zulip sesion middleware to issue cookier correctly for the subdomains case. * Throwing an error if the user tries to visit an invalid subdomain. * Runs a portion of the Casper tests with REALMS_HAVE_SUBDOMAINS enabled to test the subdomain signup process. * Updating our integrations documentation to refer to the current subdomain. * Enforces that users can only login to the subdomain of their realm (but does not restrict the API; that will be tightened in a future commit). Note that toggling settings.REALMS_HAVE_SUBDOMAINS on a live server is not supported without manual intervention (the main problem will be adding "subdomain" values for all the existing realms). [substantially modified by tabbott as part of merging]
2016-07-19 14:35:08 +02:00
if not check_subdomain(kwargs.get("realm_subdomain"),
user_profile.realm.subdomain):
return_data["invalid_subdomain"] = True
return None
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
if not auth_enabled_helper([self.auth_backend_name], user_profile.realm):
return_data["auth_backend_disabled"] = True
return None
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
return user_profile
def process_do_auth(self, user_profile, *args, **kwargs):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (UserProfile, *Any, **Any) -> Optional[HttpResponse]
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
# This function needs to be imported from here due to the cyclic
# dependency.
views: Split views/auth.py out of core views file.
2016-10-12 04:50:38 +02:00
from zerver.views.auth import login_or_register_remote_user
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
return_data = kwargs.get('return_data', {})
inactive_user = return_data.get('inactive_user')
inactive_realm = return_data.get('inactive_realm')
GitHub: Show error on login page for wrong subdomain. While logging in through GitHub, if the user tries to login to the wrong subdomain then show an appropriate message.
2016-10-07 11:10:21 +02:00
invalid_subdomain = return_data.get('invalid_subdomain')
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
if inactive_user or inactive_realm:
return None
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
request = self.strategy.request # type: ignore # This comes from Python Social Auth.
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
email_address = self.get_email_address(*args, **kwargs)
full_name = self.get_full_name(*args, **kwargs)
return login_or_register_remote_user(request, email_address,
GitHub: Show error on login page for wrong subdomain. While logging in through GitHub, if the user tries to login to the wrong subdomain then show an appropriate message.
2016-10-07 11:10:21 +02:00
user_profile, full_name,
bool(invalid_subdomain))
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
Use LDAP-provided information if available for real names If authoritative data is available from say the LDAP database, we now ignore the POSTed user name, and don't offer it as a form field. We fall back to giving the user a text field if they aren't in LDAP. If users do not have any form fields to fill out, we simply bring them to the app without the registration page, logging them in using a dummy backend. (imported from commit 6bee87430ba46ff753ea3408251e8a80c45c713f)
2013-11-21 04:57:23 +01:00
class ZulipDummyBackend(ZulipAuthMixin):
"""
Used when we want to log you in but we don't know which backend to use.
"""
auth: Give nicer subdomain errors when using ZulipDummyBackend. This improves Google and JWT auth as well as the registration codepath to log something if the wrong subdomain is encountered. Ideally, we'd have tests for these, and code to make the Google and JWT auth cases show a clear error message.
2016-08-14 04:44:55 +02:00
def authenticate(self, username=None, realm_subdomain=None, use_dummy_backend=False,
return_data=None):
# type: (Optional[text_type], Optional[text_type], bool, Optional[Dict[str, Any]]) -> Optional[UserProfile]
Use LDAP-provided information if available for real names If authoritative data is available from say the LDAP database, we now ignore the POSTed user name, and don't offer it as a form field. We fall back to giving the user a text field if they aren't in LDAP. If users do not have any form fields to fill out, we simply bring them to the app without the registration page, logging them in using a dummy backend. (imported from commit 6bee87430ba46ff753ea3408251e8a80c45c713f)
2013-11-21 04:57:23 +01:00
if use_dummy_backend:
Add option for hosting each realm on its own subdomain. This adds support for running a Zulip production server with each realm on its own unique subdomain, e.g. https://realm_name.example.com. This patch includes a ton of important features: * Configuring the Zulip sesion middleware to issue cookier correctly for the subdomains case. * Throwing an error if the user tries to visit an invalid subdomain. * Runs a portion of the Casper tests with REALMS_HAVE_SUBDOMAINS enabled to test the subdomain signup process. * Updating our integrations documentation to refer to the current subdomain. * Enforces that users can only login to the subdomain of their realm (but does not restrict the API; that will be tightened in a future commit). Note that toggling settings.REALMS_HAVE_SUBDOMAINS on a live server is not supported without manual intervention (the main problem will be adding "subdomain" values for all the existing realms). [substantially modified by tabbott as part of merging]
2016-07-19 14:35:08 +02:00
user_profile = common_get_active_user_by_email(username)
if user_profile is None:
return None
auth: Give nicer subdomain errors when using ZulipDummyBackend. This improves Google and JWT auth as well as the registration codepath to log something if the wrong subdomain is encountered. Ideally, we'd have tests for these, and code to make the Google and JWT auth cases show a clear error message.
2016-08-14 04:44:55 +02:00
if not check_subdomain(realm_subdomain, user_profile.realm.subdomain):
return_data["invalid_subdomain"] = True
return None
return user_profile
Use LDAP-provided information if available for real names If authoritative data is available from say the LDAP database, we now ignore the POSTed user name, and don't offer it as a form field. We fall back to giving the user a text field if they aren't in LDAP. If users do not have any form fields to fill out, we simply bring them to the app without the registration page, logging them in using a dummy backend. (imported from commit 6bee87430ba46ff753ea3408251e8a80c45c713f)
2013-11-21 04:57:23 +01:00
return None
Factor out get_user in zproject/backends.py (imported from commit d60b5440722ed596ffbcb81086b2f62d535288dd)
2013-11-01 20:22:12 +01:00
class EmailAuthBackend(ZulipAuthMixin):
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
"""
Email Authentication Backend
Allows a user to sign in using an email/password pair rather than
a username/password pair.
"""
Add option for hosting each realm on its own subdomain. This adds support for running a Zulip production server with each realm on its own unique subdomain, e.g. https://realm_name.example.com. This patch includes a ton of important features: * Configuring the Zulip sesion middleware to issue cookier correctly for the subdomains case. * Throwing an error if the user tries to visit an invalid subdomain. * Runs a portion of the Casper tests with REALMS_HAVE_SUBDOMAINS enabled to test the subdomain signup process. * Updating our integrations documentation to refer to the current subdomain. * Enforces that users can only login to the subdomain of their realm (but does not restrict the API; that will be tightened in a future commit). Note that toggling settings.REALMS_HAVE_SUBDOMAINS on a live server is not supported without manual intervention (the main problem will be adding "subdomain" values for all the existing realms). [substantially modified by tabbott as part of merging]
2016-07-19 14:35:08 +02:00
def authenticate(self, username=None, password=None, realm_subdomain=None, return_data=None):
# type: (Optional[text_type], Optional[str], Optional[text_type], Optional[Dict[str, Any]]) -> Optional[UserProfile]
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
""" Authenticate a user based on email address as the user name. """
if username is None or password is None:
# Return immediately. Otherwise we will look for a SQL row with
# NULL username. While that's probably harmless, it's needless
# exposure.
return None
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
user_profile = common_get_active_user_by_email(username, return_data=return_data)
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
if user_profile is None:
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
return None
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
if not password_auth_enabled(user_profile.realm):
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
if return_data is not None:
return_data['password_auth_disabled'] = True
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
return None
auth: Separate email_auth_enabled from ldap_auth_enabled.
2016-11-07 00:04:59 +01:00
if not email_auth_enabled(user_profile.realm):
if return_data is not None:
return_data['email_auth_disabled'] = True
return None
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
if user_profile.check_password(password):
Add option for hosting each realm on its own subdomain. This adds support for running a Zulip production server with each realm on its own unique subdomain, e.g. https://realm_name.example.com. This patch includes a ton of important features: * Configuring the Zulip sesion middleware to issue cookier correctly for the subdomains case. * Throwing an error if the user tries to visit an invalid subdomain. * Runs a portion of the Casper tests with REALMS_HAVE_SUBDOMAINS enabled to test the subdomain signup process. * Updating our integrations documentation to refer to the current subdomain. * Enforces that users can only login to the subdomain of their realm (but does not restrict the API; that will be tightened in a future commit). Note that toggling settings.REALMS_HAVE_SUBDOMAINS on a live server is not supported without manual intervention (the main problem will be adding "subdomain" values for all the existing realms). [substantially modified by tabbott as part of merging]
2016-07-19 14:35:08 +02:00
if not check_subdomain(realm_subdomain, user_profile.realm.subdomain):
return_data["invalid_subdomain"] = True
return None
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
return user_profile
Add option for hosting each realm on its own subdomain. This adds support for running a Zulip production server with each realm on its own unique subdomain, e.g. https://realm_name.example.com. This patch includes a ton of important features: * Configuring the Zulip sesion middleware to issue cookier correctly for the subdomains case. * Throwing an error if the user tries to visit an invalid subdomain. * Runs a portion of the Casper tests with REALMS_HAVE_SUBDOMAINS enabled to test the subdomain signup process. * Updating our integrations documentation to refer to the current subdomain. * Enforces that users can only login to the subdomain of their realm (but does not restrict the API; that will be tightened in a future commit). Note that toggling settings.REALMS_HAVE_SUBDOMAINS on a live server is not supported without manual intervention (the main problem will be adding "subdomain" values for all the existing realms). [substantially modified by tabbott as part of merging]
2016-07-19 14:35:08 +02:00
return None
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
class GoogleMobileOauth2Backend(ZulipAuthMixin):
"""
Google Apps authentication for mobile devices
Allows a user to sign in using a Google-issued OAuth2 token.
Ref:
https://developers.google.com/+/mobile/android/sign-in#server-side_access_for_your_app
https://developers.google.com/accounts/docs/CrossClientAuth#offlineAccess
"""
Add option for hosting each realm on its own subdomain. This adds support for running a Zulip production server with each realm on its own unique subdomain, e.g. https://realm_name.example.com. This patch includes a ton of important features: * Configuring the Zulip sesion middleware to issue cookier correctly for the subdomains case. * Throwing an error if the user tries to visit an invalid subdomain. * Runs a portion of the Casper tests with REALMS_HAVE_SUBDOMAINS enabled to test the subdomain signup process. * Updating our integrations documentation to refer to the current subdomain. * Enforces that users can only login to the subdomain of their realm (but does not restrict the API; that will be tightened in a future commit). Note that toggling settings.REALMS_HAVE_SUBDOMAINS on a live server is not supported without manual intervention (the main problem will be adding "subdomain" values for all the existing realms). [substantially modified by tabbott as part of merging]
2016-07-19 14:35:08 +02:00
def authenticate(self, google_oauth2_token=None, realm_subdomain=None, return_data={}):
# type: (Optional[str], Optional[text_type], Dict[str, Any]) -> Optional[UserProfile]
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
try:
token_payload = googleapiclient.verify_id_token(google_oauth2_token, settings.GOOGLE_CLIENT_ID)
except AppIdentityError:
return None
Fix Google OAuth login by checking True as well as true in oauth response (imported from commit c80620eca4dbd9b5b0122e8e564bc7257a2bd4f5)
2014-05-14 18:57:09 +02:00
if token_payload["email_verified"] in (True, "true"):
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
try:
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
user_profile = get_user_profile_by_email(token_payload["email"])
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
except UserProfile.DoesNotExist:
return_data["valid_attestation"] = True
return None
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
if not user_profile.is_active:
return_data["inactive_user"] = True
return None
if user_profile.realm.deactivated:
return_data["inactive_realm"] = True
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
return None
Add option for hosting each realm on its own subdomain. This adds support for running a Zulip production server with each realm on its own unique subdomain, e.g. https://realm_name.example.com. This patch includes a ton of important features: * Configuring the Zulip sesion middleware to issue cookier correctly for the subdomains case. * Throwing an error if the user tries to visit an invalid subdomain. * Runs a portion of the Casper tests with REALMS_HAVE_SUBDOMAINS enabled to test the subdomain signup process. * Updating our integrations documentation to refer to the current subdomain. * Enforces that users can only login to the subdomain of their realm (but does not restrict the API; that will be tightened in a future commit). Note that toggling settings.REALMS_HAVE_SUBDOMAINS on a live server is not supported without manual intervention (the main problem will be adding "subdomain" values for all the existing realms). [substantially modified by tabbott as part of merging]
2016-07-19 14:35:08 +02:00
if not check_subdomain(realm_subdomain, user_profile.realm.subdomain):
return_data["invalid_subdomain"] = True
return None
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
if not google_auth_enabled(realm=user_profile.realm):
return_data["google_auth_disabled"] = True
return None
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
return user_profile
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
else:
return_data["valid_attestation"] = False
SSO / REMOTE_USER support (imported from commit 4f4fad7af5d3c6099cac95d7708338c182626d72)
2013-11-04 23:16:46 +01:00
class ZulipRemoteUserBackend(RemoteUserBackend):
create_unknown_user = False
Add option for hosting each realm on its own subdomain. This adds support for running a Zulip production server with each realm on its own unique subdomain, e.g. https://realm_name.example.com. This patch includes a ton of important features: * Configuring the Zulip sesion middleware to issue cookier correctly for the subdomains case. * Throwing an error if the user tries to visit an invalid subdomain. * Runs a portion of the Casper tests with REALMS_HAVE_SUBDOMAINS enabled to test the subdomain signup process. * Updating our integrations documentation to refer to the current subdomain. * Enforces that users can only login to the subdomain of their realm (but does not restrict the API; that will be tightened in a future commit). Note that toggling settings.REALMS_HAVE_SUBDOMAINS on a live server is not supported without manual intervention (the main problem will be adding "subdomain" values for all the existing realms). [substantially modified by tabbott as part of merging]
2016-07-19 14:35:08 +02:00
def authenticate(self, remote_user, realm_subdomain=None):
# type: (str, Optional[text_type]) -> Optional[UserProfile]
SSO / REMOTE_USER support (imported from commit 4f4fad7af5d3c6099cac95d7708338c182626d72)
2013-11-04 23:16:46 +01:00
if not remote_user:
Fix missing return None in ZulipRemoteUserBackend.authenticate.
2016-01-26 03:11:31 +01:00
return None
SSO / REMOTE_USER support (imported from commit 4f4fad7af5d3c6099cac95d7708338c182626d72)
2013-11-04 23:16:46 +01:00
email = remote_user_to_email(remote_user)
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
user_profile = common_get_active_user_by_email(email)
if user_profile is None:
return None
if not check_subdomain(realm_subdomain, user_profile.realm.subdomain):
return None
if not auth_enabled_helper([u"RemoteUser"], user_profile.realm):
return None
return user_profile
Fix ZulipRemoteUserBackend for activating mirror dummies. If you're using e.g. our Jabber<=>Zulip mirroring capability along with the RemoteUser SSO integration, previously it would fail if a user with a corresponding dummy user tried to login/signup (since they didn't have an account but one wouldn't be created because ZulipRemoteUserBackend was reporting that an account already existed). (imported from commit 006eaa9afa8feedddd860c2bef41e604285228a7)
2015-02-06 18:30:28 +01:00
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
class ZulipLDAPException(Exception):
pass
class ZulipLDAPAuthBackendBase(ZulipAuthMixin, LDAPBackend):
# Don't use Django LDAP's permissions functions
def has_perm(self, user, perm, obj=None):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (UserProfile, Any, Any) -> bool
# Using Any type is safe because we are not doing anything with
# the arguments.
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
return False
def has_module_perms(self, user, app_label):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (UserProfile, str) -> bool
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
return False
def get_all_permissions(self, user, obj=None):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (UserProfile, Any) -> Set
# Using Any type is safe because we are not doing anything with
# the arguments.
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
return set()
def get_group_permissions(self, user, obj=None):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (UserProfile, Any) -> Set
# Using Any type is safe because we are not doing anything with
# the arguments.
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
return set()
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
def django_to_ldap_username(self, username):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (text_type) -> text_type
Improve LDAP_APPEND_DOMAIN default. The documentation suggests the default is None; this change makes that true. Also make the actual code robust to this being set to "" instead.
2015-10-13 22:57:38 +02:00
if settings.LDAP_APPEND_DOMAIN:
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
if not username.endswith("@" + settings.LDAP_APPEND_DOMAIN):
raise ZulipLDAPException("Username does not match LDAP domain.")
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
return email_to_username(username)
return username
def ldap_to_django_username(self, username):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (str) -> str
Improve LDAP_APPEND_DOMAIN default. The documentation suggests the default is None; this change makes that true. Also make the actual code robust to this being set to "" instead.
2015-10-13 22:57:38 +02:00
if settings.LDAP_APPEND_DOMAIN:
Correctly concatenate local part with domain in LDAP backend. (imported from commit 951123e2e0ed52a11dc8b5ce3aeff2c1d4f5e816)
2013-11-25 17:57:30 +01:00
return "@".join((username, settings.LDAP_APPEND_DOMAIN))
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
return username
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):
Add option for hosting each realm on its own subdomain. This adds support for running a Zulip production server with each realm on its own unique subdomain, e.g. https://realm_name.example.com. This patch includes a ton of important features: * Configuring the Zulip sesion middleware to issue cookier correctly for the subdomains case. * Throwing an error if the user tries to visit an invalid subdomain. * Runs a portion of the Casper tests with REALMS_HAVE_SUBDOMAINS enabled to test the subdomain signup process. * Updating our integrations documentation to refer to the current subdomain. * Enforces that users can only login to the subdomain of their realm (but does not restrict the API; that will be tightened in a future commit). Note that toggling settings.REALMS_HAVE_SUBDOMAINS on a live server is not supported without manual intervention (the main problem will be adding "subdomain" values for all the existing realms). [substantially modified by tabbott as part of merging]
2016-07-19 14:35:08 +02:00
def authenticate(self, username, password, realm_subdomain=None, return_data=None):
Add LDAP tests.
2016-10-24 14:41:45 +02:00
# type: (text_type, str, Optional[text_type], Optional[Dict[str, Any]]) -> Optional[UserProfile]
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
try:
username = self.django_to_ldap_username(username)
Add option for hosting each realm on its own subdomain. This adds support for running a Zulip production server with each realm on its own unique subdomain, e.g. https://realm_name.example.com. This patch includes a ton of important features: * Configuring the Zulip sesion middleware to issue cookier correctly for the subdomains case. * Throwing an error if the user tries to visit an invalid subdomain. * Runs a portion of the Casper tests with REALMS_HAVE_SUBDOMAINS enabled to test the subdomain signup process. * Updating our integrations documentation to refer to the current subdomain. * Enforces that users can only login to the subdomain of their realm (but does not restrict the API; that will be tightened in a future commit). Note that toggling settings.REALMS_HAVE_SUBDOMAINS on a live server is not supported without manual intervention (the main problem will be adding "subdomain" values for all the existing realms). [substantially modified by tabbott as part of merging]
2016-07-19 14:35:08 +02:00
user_profile = ZulipLDAPAuthBackendBase.authenticate(self, username, password)
if user_profile is None:
return None
if not check_subdomain(realm_subdomain, user_profile.realm.subdomain):
return None
return user_profile
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
except Realm.DoesNotExist:
return None
except ZulipLDAPException:
return None
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
def get_or_create_user(self, username, ldap_user):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (str, _LDAPUser) -> Tuple[UserProfile, bool]
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
try:
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
user_profile = get_user_profile_by_email(username)
if not user_profile.is_active or user_profile.realm.deactivated:
raise ZulipLDAPException("Realm has been deactivated")
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
if not ldap_auth_enabled(user_profile.realm):
raise ZulipLDAPException("LDAP Authentication is not enabled")
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
return user_profile, False
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
except UserProfile.DoesNotExist:
Prevent code from using email domain to determine realm when subdomains. Also removes the intermediate step of going through Realm.domain in the non-subdomains case. Part of a larger project to remove Realm.domain entirely.
2016-11-09 02:40:54 +01:00
realm = get_realm_by_email_domain(username)
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
# No need to check for an inactive user since they don't exist yet
if realm.deactivated:
raise ZulipLDAPException("Realm has been deactivated")
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
full_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["full_name"]
Fix construction of names in LDAP integration. Previously these users' names were being set to 1-element lists containing the name, not the names themselves. This bug caused existing users to have their people module state (e.g. @-mentions, etc.) to break whenever a new user joined. Fixes #222.
2015-10-26 17:17:51 +01:00
short_name = full_name = ldap_user.attrs[full_name_attr][0]
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
if "short_name" in settings.AUTH_LDAP_USER_ATTR_MAP:
short_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["short_name"]
Fix construction of names in LDAP integration. Previously these users' names were being set to 1-element lists containing the name, not the names themselves. This bug caused existing users to have their people module state (e.g. @-mentions, etc.) to break whenever a new user joined. Fixes #222.
2015-10-26 17:17:51 +01:00
short_name = ldap_user.attrs[short_name_attr][0]
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
user_profile = do_create_user(username, None, realm, full_name, short_name)
Fix return value logic of ZulipLDAPAuthBackend.get_or_create_user. The actual logic is that if the user already exists than the function should return a False and if the user does not exist the function should first create the user and return True.
2016-10-28 14:41:07 +02:00
return user_profile, True
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
# Just like ZulipLDAPAuthBackend, but doesn't let you log in.
class ZulipLDAPUserPopulator(ZulipLDAPAuthBackendBase):
Add option for hosting each realm on its own subdomain. This adds support for running a Zulip production server with each realm on its own unique subdomain, e.g. https://realm_name.example.com. This patch includes a ton of important features: * Configuring the Zulip sesion middleware to issue cookier correctly for the subdomains case. * Throwing an error if the user tries to visit an invalid subdomain. * Runs a portion of the Casper tests with REALMS_HAVE_SUBDOMAINS enabled to test the subdomain signup process. * Updating our integrations documentation to refer to the current subdomain. * Enforces that users can only login to the subdomain of their realm (but does not restrict the API; that will be tightened in a future commit). Note that toggling settings.REALMS_HAVE_SUBDOMAINS on a live server is not supported without manual intervention (the main problem will be adding "subdomain" values for all the existing realms). [substantially modified by tabbott as part of merging]
2016-07-19 14:35:08 +02:00
def authenticate(self, username, password, realm_subdomain=None):
# type: (text_type, str, Optional[text_type]) -> None
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
return None
Add a new dev login page for logging in without a password on the dev VM. (imported from commit ac8f2504771c9907b7e92dc91cec5f7220ce951b)
2015-08-19 02:58:20 +02:00
class DevAuthBackend(ZulipAuthMixin):
# Allow logging in as any user without a password.
# This is used for convenience when developing Zulip.
Add option for hosting each realm on its own subdomain. This adds support for running a Zulip production server with each realm on its own unique subdomain, e.g. https://realm_name.example.com. This patch includes a ton of important features: * Configuring the Zulip sesion middleware to issue cookier correctly for the subdomains case. * Throwing an error if the user tries to visit an invalid subdomain. * Runs a portion of the Casper tests with REALMS_HAVE_SUBDOMAINS enabled to test the subdomain signup process. * Updating our integrations documentation to refer to the current subdomain. * Enforces that users can only login to the subdomain of their realm (but does not restrict the API; that will be tightened in a future commit). Note that toggling settings.REALMS_HAVE_SUBDOMAINS on a live server is not supported without manual intervention (the main problem will be adding "subdomain" values for all the existing realms). [substantially modified by tabbott as part of merging]
2016-07-19 14:35:08 +02:00
def authenticate(self, username, realm_subdomain=None, return_data=None):
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
# type: (text_type, Optional[text_type], Optional[Dict[str, Any]]) -> Optional[UserProfile]
user_profile = common_get_active_user_by_email(username, return_data=return_data)
if user_profile is None:
return None
if not dev_auth_enabled(user_profile.realm):
return None
return user_profile
Add GitHub authentication. Fixes: #1042
2016-07-20 13:33:27 +02:00
Rename GitHubBackend to GitHubAuthBackend for consistency.
2016-07-29 21:47:14 +02:00
class GitHubAuthBackend(SocialAuthMixin, GithubOAuth2):
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
auth_backend_name = u"GitHub"
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
def get_email_address(self, *args, **kwargs):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (*Any, **Any) -> Optional[text_type]
Add GitHub authentication. Fixes: #1042
2016-07-20 13:33:27 +02:00
try:
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
return kwargs['response']['email']
Add GitHub authentication. Fixes: #1042
2016-07-20 13:33:27 +02:00
except KeyError:
return None
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
def get_full_name(self, *args, **kwargs):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (*Any, **Any) -> text_type
Add GitHub authentication. Fixes: #1042
2016-07-20 13:33:27 +02:00
try:
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
return kwargs['response']['name']
except KeyError:
return ''
Add GitHub authentication. Fixes: #1042
2016-07-20 13:33:27 +02:00
def do_auth(self, *args, **kwargs):
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# type: (*Any, **Any) -> Optional[UserProfile]
Add GitHub authentication. Fixes: #1042
2016-07-20 13:33:27 +02:00
kwargs['return_data'] = {}
GitHub: Show error on login page for wrong subdomain. While logging in through GitHub, if the user tries to login to the wrong subdomain then show an appropriate message.
2016-10-07 11:10:21 +02:00
mypy: Remove a bunch of now-unnecessary type: ignore annotations. Since mypy and typeshed have advanced a lot over the last several months, we no longer need these `type: ignore` annotations.
2016-10-17 08:22:00 +02:00
request = self.strategy.request
GitHub: Show error on login page for wrong subdomain. While logging in through GitHub, if the user tries to login to the wrong subdomain then show an appropriate message.
2016-10-07 11:10:21 +02:00
kwargs['realm_subdomain'] = get_subdomain(request)
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
user_profile = None
team_id = settings.SOCIAL_AUTH_GITHUB_TEAM_ID
org_name = settings.SOCIAL_AUTH_GITHUB_ORG_NAME
if (team_id is None and org_name is None):
user_profile = GithubOAuth2.do_auth(self, *args, **kwargs)
elif (team_id):
backend = GithubTeamOAuth2(self.strategy, self.redirect_uri)
try:
user_profile = backend.do_auth(*args, **kwargs)
except AuthFailed:
logging.info("User profile not member of team.")
user_profile = None
elif (org_name):
backend = GithubOrganizationOAuth2(self.strategy, self.redirect_uri)
try:
user_profile = backend.do_auth(*args, **kwargs)
except AuthFailed:
logging.info("User profile not member of organisation.")
user_profile = None
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
return self.process_do_auth(user_profile, *args, **kwargs)
auth: Refactor auth backend enabled checking code.
2016-11-06 23:44:45 +01:00
AUTH_BACKEND_NAME_MAP = {
u'Dev': DevAuthBackend,
u'Email': EmailAuthBackend,
u'GitHub': GitHubAuthBackend,
u'Google': GoogleMobileOauth2Backend,
u'LDAP': ZulipLDAPAuthBackend,
u'RemoteUser': ZulipRemoteUserBackend,
} # type: Dict[text_type, Any]