2019-03-10 02:43:29 +01:00
|
|
|
# Documentation for Zulip's authentication backends is split across a few places:
|
|
|
|
#
|
|
|
|
# * https://zulip.readthedocs.io/en/latest/production/authentication-methods.html and
|
|
|
|
# zproject/prod_settings_template.py have user-level configuration documentation.
|
|
|
|
# * https://zulip.readthedocs.io/en/latest/subsystems/auth.html has developer-level
|
|
|
|
# documentation, especially on testing authentication backends in the Zulip
|
|
|
|
# development environment.
|
|
|
|
#
|
|
|
|
# Django upstream's documentation for authentication backends is also
|
|
|
|
# helpful background. The most important detail to understand for
|
|
|
|
# reading this file is that the Django authenticate() function will
|
|
|
|
# call the authenticate methods of all backends registered in
|
|
|
|
# settings.AUTHENTICATION_BACKENDS that have a function signature
|
|
|
|
# matching the args/kwargs passed in the authenticate() call.
|
2019-06-07 23:36:19 +02:00
|
|
|
import copy
|
2016-08-01 13:06:35 +02:00
|
|
|
import logging
|
2019-06-07 23:36:19 +02:00
|
|
|
import magic
|
2019-09-29 06:32:56 +02:00
|
|
|
import ujson
|
2019-01-29 13:39:21 +01:00
|
|
|
from typing import Any, Dict, List, Optional, Set, Tuple, Union
|
2016-08-01 13:06:35 +02:00
|
|
|
|
2019-09-04 10:11:25 +02:00
|
|
|
from django_auth_ldap.backend import LDAPBackend, _LDAPUser, ldap_error
|
2019-03-09 07:52:14 +01:00
|
|
|
from django.contrib.auth import get_backends
|
2013-11-04 23:16:46 +01:00
|
|
|
from django.contrib.auth.backends import RemoteUserBackend
|
2013-11-21 01:30:20 +01:00
|
|
|
from django.conf import settings
|
2018-05-31 00:12:39 +02:00
|
|
|
from django.core.exceptions import ValidationError
|
|
|
|
from django.core.validators import validate_email
|
2019-09-04 10:11:25 +02:00
|
|
|
from django.dispatch import receiver, Signal
|
2019-04-12 06:24:58 +02:00
|
|
|
from django.http import HttpResponse, HttpResponseRedirect
|
2018-07-18 23:45:49 +02:00
|
|
|
from django.shortcuts import render
|
2019-04-12 06:24:58 +02:00
|
|
|
from django.urls import reverse
|
2018-06-07 00:19:06 +02:00
|
|
|
from requests import HTTPError
|
2019-09-29 06:32:56 +02:00
|
|
|
from onelogin.saml2.errors import OneLogin_Saml2_Error
|
2017-01-21 16:52:59 +01:00
|
|
|
from social_core.backends.github import GithubOAuth2, GithubOrganizationOAuth2, \
|
2016-08-01 13:06:35 +02:00
|
|
|
GithubTeamOAuth2
|
2018-10-05 14:32:02 +02:00
|
|
|
from social_core.backends.azuread import AzureADOAuth2
|
2018-05-31 00:12:39 +02:00
|
|
|
from social_core.backends.base import BaseAuth
|
2019-02-02 16:51:26 +01:00
|
|
|
from social_core.backends.google import GoogleOAuth2
|
2018-10-12 02:08:33 +02:00
|
|
|
from social_core.backends.oauth import BaseOAuth2
|
2019-09-29 06:32:56 +02:00
|
|
|
from social_core.backends.saml import SAMLAuth
|
2018-07-18 23:45:49 +02:00
|
|
|
from social_core.pipeline.partial import partial
|
2017-03-07 08:32:40 +01:00
|
|
|
from social_core.exceptions import AuthFailed, SocialAuthBaseException
|
2017-03-24 10:48:52 +01:00
|
|
|
|
2019-01-29 13:39:21 +01:00
|
|
|
from zerver.lib.actions import do_create_user, do_reactivate_user, do_deactivate_user, \
|
2019-10-01 04:22:50 +02:00
|
|
|
do_update_user_custom_profile_data_if_changed, validate_email_for_realm
|
2019-08-03 14:15:32 +02:00
|
|
|
from zerver.lib.avatar import is_avatar_new, avatar_url
|
2019-06-28 00:10:58 +02:00
|
|
|
from zerver.lib.avatar_hash import user_avatar_content_hash
|
2019-01-12 18:12:11 +01:00
|
|
|
from zerver.lib.dev_ldap_directory import init_fakeldap
|
2017-10-24 17:59:39 +02:00
|
|
|
from zerver.lib.request import JsonableError
|
2019-01-29 13:39:21 +01:00
|
|
|
from zerver.lib.users import check_full_name, validate_user_custom_profile_field
|
2019-09-29 06:32:56 +02:00
|
|
|
from zerver.lib.utils import generate_random_token
|
|
|
|
from zerver.lib.redis_utils import get_redis_client
|
2019-03-10 08:57:19 +01:00
|
|
|
from zerver.models import CustomProfileField, DisposableEmailError, DomainNotAllowedForRealmError, \
|
|
|
|
EmailContainsPlusError, PreregistrationUser, UserProfile, Realm, custom_profile_fields_for_realm, \
|
|
|
|
email_allowed_for_realm, get_default_stream_groups, get_user_profile_by_id, remote_user_to_email, \
|
2019-03-17 22:25:47 +01:00
|
|
|
email_to_username, get_realm, get_user_by_delivery_email, supported_auth_backends
|
2017-10-24 17:59:39 +02:00
|
|
|
|
2019-09-29 06:32:56 +02:00
|
|
|
redis_client = get_redis_client()
|
|
|
|
|
2019-03-10 02:43:29 +01:00
|
|
|
# This first batch of methods is used by other code in Zulip to check
|
|
|
|
# whether a given authentication backend is enabled for a given realm.
|
|
|
|
# In each case, we both needs to check at the server level (via
|
|
|
|
# `settings.AUTHENTICATION_BACKENDS`, queried via
|
|
|
|
# `django.contrib.auth.get_backends`) and at the realm level (via the
|
|
|
|
# `Realm.authentication_methods` BitField).
|
2018-05-10 18:53:55 +02:00
|
|
|
def pad_method_dict(method_dict: Dict[str, bool]) -> Dict[str, bool]:
|
2016-11-06 23:44:45 +01:00
|
|
|
"""Pads an authentication methods dict to contain all auth backends
|
|
|
|
supported by the software, regardless of whether they are
|
|
|
|
configured on this server"""
|
|
|
|
for key in AUTH_BACKEND_NAME_MAP:
|
|
|
|
if key not in method_dict:
|
|
|
|
method_dict[key] = False
|
|
|
|
return method_dict
|
|
|
|
|
2018-05-10 18:53:55 +02:00
|
|
|
def auth_enabled_helper(backends_to_check: List[str], realm: Optional[Realm]) -> bool:
|
2016-11-02 21:41:10 +01:00
|
|
|
if realm is not None:
|
|
|
|
enabled_method_dict = realm.authentication_methods_dict()
|
|
|
|
pad_method_dict(enabled_method_dict)
|
|
|
|
else:
|
|
|
|
enabled_method_dict = dict((method, True) for method in Realm.AUTHENTICATION_FLAGS)
|
|
|
|
pad_method_dict(enabled_method_dict)
|
2019-03-17 22:25:47 +01:00
|
|
|
for supported_backend in supported_auth_backends():
|
2016-11-06 23:44:45 +01:00
|
|
|
for backend_name in backends_to_check:
|
|
|
|
backend = AUTH_BACKEND_NAME_MAP[backend_name]
|
|
|
|
if enabled_method_dict[backend_name] and isinstance(supported_backend, backend):
|
|
|
|
return True
|
2013-11-04 23:42:31 +01:00
|
|
|
return False
|
|
|
|
|
2017-11-27 14:35:36 +01:00
|
|
|
def ldap_auth_enabled(realm: Optional[Realm]=None) -> bool:
|
2017-11-02 08:05:56 +01:00
|
|
|
return auth_enabled_helper(['LDAP'], realm)
|
2016-11-07 00:04:59 +01:00
|
|
|
|
2017-11-27 14:35:36 +01:00
|
|
|
def email_auth_enabled(realm: Optional[Realm]=None) -> bool:
|
2017-11-02 08:05:56 +01:00
|
|
|
return auth_enabled_helper(['Email'], realm)
|
2016-11-07 00:04:59 +01:00
|
|
|
|
2017-11-27 14:35:36 +01:00
|
|
|
def password_auth_enabled(realm: Optional[Realm]=None) -> bool:
|
2016-11-07 00:04:59 +01:00
|
|
|
return ldap_auth_enabled(realm) or email_auth_enabled(realm)
|
2015-08-19 02:58:20 +02:00
|
|
|
|
2017-11-27 14:35:36 +01:00
|
|
|
def dev_auth_enabled(realm: Optional[Realm]=None) -> bool:
|
2017-11-02 08:05:56 +01:00
|
|
|
return auth_enabled_helper(['Dev'], realm)
|
2016-11-06 23:44:45 +01:00
|
|
|
|
2017-11-27 14:35:36 +01:00
|
|
|
def google_auth_enabled(realm: Optional[Realm]=None) -> bool:
|
2017-11-02 08:05:56 +01:00
|
|
|
return auth_enabled_helper(['Google'], realm)
|
2016-11-06 23:44:45 +01:00
|
|
|
|
2017-11-27 14:35:36 +01:00
|
|
|
def github_auth_enabled(realm: Optional[Realm]=None) -> bool:
|
2017-11-02 08:05:56 +01:00
|
|
|
return auth_enabled_helper(['GitHub'], realm)
|
2015-08-19 02:58:20 +02:00
|
|
|
|
2019-09-29 06:32:56 +02:00
|
|
|
def saml_auth_enabled(realm: Optional[Realm]=None) -> bool:
|
|
|
|
return auth_enabled_helper(['SAML'], realm)
|
|
|
|
|
2019-09-19 03:19:45 +02:00
|
|
|
def any_social_backend_enabled(realm: Optional[Realm]=None) -> bool:
|
2017-04-20 21:02:56 +02:00
|
|
|
"""Used by the login page process to determine whether to show the
|
|
|
|
'OR' for login with Google"""
|
2019-09-19 03:14:12 +02:00
|
|
|
social_backend_names = [social_auth_subclass.auth_backend_name
|
|
|
|
for social_auth_subclass in SOCIAL_AUTH_BACKENDS]
|
|
|
|
return auth_enabled_helper(social_backend_names, realm)
|
2017-04-20 21:02:56 +02:00
|
|
|
|
2017-11-27 14:35:36 +01:00
|
|
|
def require_email_format_usernames(realm: Optional[Realm]=None) -> bool:
|
2017-09-15 16:59:03 +02:00
|
|
|
if ldap_auth_enabled(realm):
|
|
|
|
if settings.LDAP_EMAIL_ATTR or settings.LDAP_APPEND_DOMAIN:
|
|
|
|
return False
|
|
|
|
return True
|
|
|
|
|
2019-09-21 01:32:59 +02:00
|
|
|
def is_user_active(user_profile: UserProfile, return_data: Optional[Dict[str, Any]]=None) -> bool:
|
|
|
|
if not user_profile.is_active:
|
|
|
|
if return_data is not None:
|
|
|
|
if user_profile.is_mirror_dummy:
|
|
|
|
# Record whether it's a mirror dummy account
|
|
|
|
return_data['is_mirror_dummy'] = True
|
|
|
|
return_data['inactive_user'] = True
|
|
|
|
return False
|
|
|
|
if user_profile.realm.deactivated:
|
|
|
|
if return_data is not None:
|
|
|
|
return_data['inactive_realm'] = True
|
|
|
|
return False
|
|
|
|
|
|
|
|
return True
|
|
|
|
|
2017-11-17 22:43:16 +01:00
|
|
|
def common_get_active_user(email: str, realm: Realm,
|
2018-10-27 03:19:49 +02:00
|
|
|
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
|
2019-03-10 02:43:29 +01:00
|
|
|
"""This is the core common function used by essentially all
|
|
|
|
authentication backends to check if there's an active user account
|
|
|
|
with a given email address in the organization, handling both
|
|
|
|
user-level and realm-level deactivation correctly.
|
|
|
|
"""
|
2017-11-17 22:43:16 +01:00
|
|
|
try:
|
2018-12-07 00:05:57 +01:00
|
|
|
user_profile = get_user_by_delivery_email(email, realm)
|
2017-11-17 22:43:16 +01:00
|
|
|
except UserProfile.DoesNotExist:
|
|
|
|
# If the user doesn't have an account in the target realm, we
|
|
|
|
# check whether they might have an account in another realm,
|
|
|
|
# and if so, provide a helpful error message via
|
|
|
|
# `invalid_subdomain`.
|
2018-12-07 00:05:57 +01:00
|
|
|
if not UserProfile.objects.filter(delivery_email__iexact=email).exists():
|
2017-11-17 22:43:16 +01:00
|
|
|
return None
|
|
|
|
if return_data is not None:
|
|
|
|
return_data['invalid_subdomain'] = True
|
|
|
|
return None
|
2019-09-21 01:32:59 +02:00
|
|
|
if not is_user_active(user_profile, return_data):
|
2017-11-17 22:43:16 +01:00
|
|
|
return None
|
2019-09-21 01:32:59 +02:00
|
|
|
|
2017-11-17 22:43:16 +01:00
|
|
|
return user_profile
|
|
|
|
|
2017-11-05 11:31:53 +01:00
|
|
|
class ZulipAuthMixin:
|
2019-03-10 02:43:29 +01:00
|
|
|
"""This common mixin is used to override Django's default behavior for
|
|
|
|
looking up a logged-in user by ID to use a version that fetches
|
|
|
|
from memcached before checking the database (avoiding a database
|
|
|
|
query in most cases).
|
|
|
|
"""
|
2017-11-27 14:35:36 +01:00
|
|
|
def get_user(self, user_profile_id: int) -> Optional[UserProfile]:
|
2019-03-10 02:43:29 +01:00
|
|
|
"""Override the Django method for getting a UserProfile object from
|
|
|
|
the user_profile_id,."""
|
2013-11-01 20:22:12 +01:00
|
|
|
try:
|
|
|
|
return get_user_profile_by_id(user_profile_id)
|
|
|
|
except UserProfile.DoesNotExist:
|
|
|
|
return None
|
|
|
|
|
2013-11-21 04:57:23 +01:00
|
|
|
class ZulipDummyBackend(ZulipAuthMixin):
|
2019-03-10 02:43:29 +01:00
|
|
|
"""Used when we want to log you in without checking any
|
2017-11-17 22:43:16 +01:00
|
|
|
authentication (i.e. new user registration or when otherwise
|
|
|
|
authentication has already been checked earlier in the process).
|
2019-03-10 02:43:29 +01:00
|
|
|
|
|
|
|
We ensure that this backend only ever successfully authenticates
|
|
|
|
when explicitly requested by including the use_dummy_backend kwarg.
|
2013-11-21 04:57:23 +01:00
|
|
|
"""
|
2016-11-29 07:22:02 +01:00
|
|
|
|
2019-05-08 02:18:34 +02:00
|
|
|
def authenticate(self, *, username: str, realm: Realm,
|
2017-11-21 20:47:26 +01:00
|
|
|
use_dummy_backend: bool=False,
|
2018-10-27 03:19:49 +02:00
|
|
|
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
|
2013-11-21 04:57:23 +01:00
|
|
|
if use_dummy_backend:
|
2017-11-17 22:43:16 +01:00
|
|
|
return common_get_active_user(username, realm, return_data)
|
2013-11-21 04:57:23 +01:00
|
|
|
return None
|
|
|
|
|
2013-11-01 20:22:12 +01:00
|
|
|
class EmailAuthBackend(ZulipAuthMixin):
|
2013-08-06 22:51:47 +02:00
|
|
|
"""
|
2019-03-10 02:43:29 +01:00
|
|
|
Email+Password Authentication Backend (the default).
|
2013-08-06 22:51:47 +02:00
|
|
|
|
2019-03-10 02:43:29 +01:00
|
|
|
Allows a user to sign in using an email/password pair.
|
2013-08-06 22:51:47 +02:00
|
|
|
"""
|
2016-11-29 07:22:02 +01:00
|
|
|
|
2019-05-08 02:18:34 +02:00
|
|
|
def authenticate(self, *, username: str, password: str,
|
2019-05-05 01:04:48 +02:00
|
|
|
realm: Realm,
|
2017-11-21 20:47:26 +01:00
|
|
|
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
|
2013-08-06 22:51:47 +02:00
|
|
|
""" Authenticate a user based on email address as the user name. """
|
2017-11-17 23:56:45 +01:00
|
|
|
if not password_auth_enabled(realm):
|
2016-04-21 21:07:43 +02:00
|
|
|
if return_data is not None:
|
|
|
|
return_data['password_auth_disabled'] = True
|
2016-04-21 07:19:08 +02:00
|
|
|
return None
|
2017-11-17 23:56:45 +01:00
|
|
|
if not email_auth_enabled(realm):
|
2016-11-07 00:04:59 +01:00
|
|
|
if return_data is not None:
|
|
|
|
return_data['email_auth_disabled'] = True
|
|
|
|
return None
|
2017-11-21 21:39:56 +01:00
|
|
|
|
2017-11-21 21:42:21 +01:00
|
|
|
user_profile = common_get_active_user(username, realm, return_data=return_data)
|
2017-11-21 21:39:56 +01:00
|
|
|
if user_profile is None:
|
|
|
|
return None
|
2016-04-21 07:19:08 +02:00
|
|
|
if user_profile.check_password(password):
|
|
|
|
return user_profile
|
2016-07-19 14:35:08 +02:00
|
|
|
return None
|
2013-08-06 22:51:47 +02:00
|
|
|
|
2013-11-04 23:16:46 +01:00
|
|
|
class ZulipRemoteUserBackend(RemoteUserBackend):
|
2019-03-10 02:43:29 +01:00
|
|
|
"""Authentication backend that reads the Apache REMOTE_USER variable.
|
|
|
|
Used primarily in enterprise environments with an SSO solution
|
|
|
|
that has an Apache REMOTE_USER integration. For manual testing, see
|
|
|
|
|
|
|
|
https://zulip.readthedocs.io/en/latest/production/authentication-methods.html
|
|
|
|
|
|
|
|
See also remote_user_sso in zerver/views/auth.py.
|
|
|
|
"""
|
2013-11-04 23:16:46 +01:00
|
|
|
create_unknown_user = False
|
2016-11-29 07:22:02 +01:00
|
|
|
|
2019-05-08 02:18:34 +02:00
|
|
|
def authenticate(self, *, remote_user: str, realm: Realm,
|
2018-04-22 23:20:58 +02:00
|
|
|
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
|
2017-11-21 21:04:04 +01:00
|
|
|
if not auth_enabled_helper(["RemoteUser"], realm):
|
|
|
|
return None
|
2013-11-04 23:16:46 +01:00
|
|
|
|
|
|
|
email = remote_user_to_email(remote_user)
|
2018-04-22 23:20:58 +02:00
|
|
|
return common_get_active_user(email, realm, return_data=return_data)
|
2015-02-06 18:30:28 +01:00
|
|
|
|
2019-01-09 17:58:39 +01:00
|
|
|
def is_valid_email(email: str) -> bool:
|
|
|
|
try:
|
|
|
|
validate_email(email)
|
|
|
|
except ValidationError:
|
|
|
|
return False
|
|
|
|
return True
|
|
|
|
|
2018-05-29 07:25:08 +02:00
|
|
|
def email_belongs_to_ldap(realm: Realm, email: str) -> bool:
|
2019-03-10 02:43:29 +01:00
|
|
|
"""Used to make determinations on whether a user's email address is
|
|
|
|
managed by LDAP. For environments using both LDAP and
|
|
|
|
Email+Password authentication, we do not allow EmailAuthBackend
|
|
|
|
authentication for email addresses managed by LDAP (to avoid a
|
|
|
|
security issue where one create separate credentials for an LDAP
|
|
|
|
user), and this function is used to enforce that rule.
|
|
|
|
"""
|
2018-05-29 07:25:08 +02:00
|
|
|
if not ldap_auth_enabled(realm):
|
|
|
|
return False
|
|
|
|
|
|
|
|
# If we don't have an LDAP domain, it's impossible to tell which
|
|
|
|
# accounts are LDAP accounts, so treat all of them as LDAP
|
|
|
|
# accounts
|
|
|
|
if not settings.LDAP_APPEND_DOMAIN:
|
|
|
|
return True
|
|
|
|
|
|
|
|
# Otherwise, check if the email ends with LDAP_APPEND_DOMAIN
|
|
|
|
return email.strip().lower().endswith("@" + settings.LDAP_APPEND_DOMAIN)
|
|
|
|
|
2017-09-27 00:56:34 +02:00
|
|
|
class ZulipLDAPException(_LDAPUser.AuthenticationFailed):
|
2018-05-31 23:10:22 +02:00
|
|
|
"""Since this inherits from _LDAPUser.AuthenticationFailed, these will
|
|
|
|
be caught and logged at debug level inside django-auth-ldap's authenticate()"""
|
2015-10-13 23:08:05 +02:00
|
|
|
pass
|
|
|
|
|
auth: Improve interactions between LDAPAuthBackend and EmailAuthBackend.
Previously, if you had LDAPAuthBackend enabled, we basically blocked
any other auth backends from working at all, by requiring the user's
login flow include verifying the user's LDAP password.
We still want to enforce that in the case that the account email
matches LDAP_APPEND_DOMAIN, but there's a reasonable corner case:
Having effectively guest users from outside the LDAP domain.
We don't want to allow creating a Zulip-level password for a user
inside the LDAP domain, so we still verify the LDAP password in that
flow, but if the email is allowed to register (due to invite or
whatever) but is outside the LDAP domain for the organization, we
allow it to create an account and set a password.
For the moment, this solution only covers EmailAuthBackend. It's
likely that just extending the list of other backends we check for in
the new conditional on `email_auth_backend` would be correct, but we
haven't done any testing for those cases, and with auth code paths,
it's better to disallow than allow untested code paths.
Fixes #9422.
2018-05-29 06:52:06 +02:00
|
|
|
class ZulipLDAPExceptionOutsideDomain(ZulipLDAPException):
|
|
|
|
pass
|
|
|
|
|
2017-09-22 10:58:12 +02:00
|
|
|
class ZulipLDAPConfigurationError(Exception):
|
|
|
|
pass
|
|
|
|
|
2018-12-13 23:58:26 +01:00
|
|
|
LDAP_USER_ACCOUNT_CONTROL_DISABLED_MASK = 2
|
|
|
|
|
2015-10-13 23:08:05 +02:00
|
|
|
class ZulipLDAPAuthBackendBase(ZulipAuthMixin, LDAPBackend):
|
2019-03-10 02:43:29 +01:00
|
|
|
"""Common code between LDAP authentication (ZulipLDAPAuthBackend) and
|
|
|
|
using LDAP just to sync user data (ZulipLDAPUserPopulator).
|
|
|
|
|
|
|
|
To fully understand our LDAP backend, you may want to skim
|
|
|
|
django_auth_ldap/backend.py from the upstream django-auth-ldap
|
|
|
|
library. It's not a lot of code, and searching around in that
|
|
|
|
file makes the flow for LDAP authentication clear.
|
|
|
|
"""
|
2018-12-12 20:06:10 +01:00
|
|
|
def __init__(self) -> None:
|
2019-03-10 02:43:29 +01:00
|
|
|
# Used to initialize a fake LDAP directly for both manual
|
|
|
|
# and automated testing in a development environment where
|
|
|
|
# there is no actual LDAP server.
|
2018-12-12 20:06:10 +01:00
|
|
|
if settings.DEVELOPMENT and settings.FAKE_LDAP_MODE: # nocoverage
|
2019-01-12 18:12:11 +01:00
|
|
|
init_fakeldap()
|
2018-12-12 20:06:10 +01:00
|
|
|
|
2019-03-10 02:43:29 +01:00
|
|
|
# Disable django-auth-ldap's permissions functions -- we don't use
|
|
|
|
# the standard Django user/group permissions system because they
|
|
|
|
# are prone to performance issues.
|
2017-11-27 14:35:36 +01:00
|
|
|
def has_perm(self, user: Optional[UserProfile], perm: Any, obj: Any=None) -> bool:
|
2015-10-13 23:08:05 +02:00
|
|
|
return False
|
2016-11-29 07:22:02 +01:00
|
|
|
|
2017-11-27 14:35:36 +01:00
|
|
|
def has_module_perms(self, user: Optional[UserProfile], app_label: Optional[str]) -> bool:
|
2015-10-13 23:08:05 +02:00
|
|
|
return False
|
2016-11-29 07:22:02 +01:00
|
|
|
|
2017-11-27 14:35:36 +01:00
|
|
|
def get_all_permissions(self, user: Optional[UserProfile], obj: Any=None) -> Set[Any]:
|
2015-10-13 23:08:05 +02:00
|
|
|
return set()
|
2016-11-29 07:22:02 +01:00
|
|
|
|
2017-11-27 14:35:36 +01:00
|
|
|
def get_group_permissions(self, user: Optional[UserProfile], obj: Any=None) -> Set[Any]:
|
2015-10-13 23:08:05 +02:00
|
|
|
return set()
|
|
|
|
|
2018-05-10 18:53:55 +02:00
|
|
|
def django_to_ldap_username(self, username: str) -> str:
|
2015-10-13 22:57:38 +02:00
|
|
|
if settings.LDAP_APPEND_DOMAIN:
|
2019-01-09 17:58:39 +01:00
|
|
|
if is_valid_email(username):
|
|
|
|
if not username.endswith("@" + settings.LDAP_APPEND_DOMAIN):
|
|
|
|
raise ZulipLDAPExceptionOutsideDomain("Email %s does not match LDAP domain %s." % (
|
|
|
|
username, settings.LDAP_APPEND_DOMAIN))
|
|
|
|
return email_to_username(username)
|
2013-11-21 01:30:20 +01:00
|
|
|
return username
|
2016-11-29 07:22:02 +01:00
|
|
|
|
2017-11-27 14:35:36 +01:00
|
|
|
def ldap_to_django_username(self, username: str) -> str:
|
2015-10-13 22:57:38 +02:00
|
|
|
if settings.LDAP_APPEND_DOMAIN:
|
2013-11-25 17:57:30 +01:00
|
|
|
return "@".join((username, settings.LDAP_APPEND_DOMAIN))
|
2013-11-21 01:30:20 +01:00
|
|
|
return username
|
|
|
|
|
2018-12-12 19:46:37 +01:00
|
|
|
def sync_avatar_from_ldap(self, user: UserProfile, ldap_user: _LDAPUser) -> None:
|
|
|
|
if 'avatar' in settings.AUTH_LDAP_USER_ATTR_MAP:
|
|
|
|
# We do local imports here to avoid import loops
|
|
|
|
from zerver.lib.upload import upload_avatar_image
|
|
|
|
from zerver.lib.actions import do_change_avatar_fields
|
|
|
|
from io import BytesIO
|
|
|
|
|
|
|
|
avatar_attr_name = settings.AUTH_LDAP_USER_ATTR_MAP['avatar']
|
2018-12-30 01:32:16 +01:00
|
|
|
if avatar_attr_name not in ldap_user.attrs: # nocoverage
|
|
|
|
# If this specific user doesn't have e.g. a
|
|
|
|
# thumbnailPhoto set in LDAP, just skip that user.
|
|
|
|
return
|
2019-06-07 23:36:19 +02:00
|
|
|
|
2019-06-28 00:10:58 +02:00
|
|
|
ldap_avatar = ldap_user.attrs[avatar_attr_name][0]
|
|
|
|
|
|
|
|
avatar_changed = is_avatar_new(ldap_avatar, user)
|
|
|
|
if not avatar_changed:
|
|
|
|
# Don't do work to replace the avatar with itself.
|
|
|
|
return
|
|
|
|
|
|
|
|
io = BytesIO(ldap_avatar)
|
2019-06-07 23:36:19 +02:00
|
|
|
# Structurally, to make the S3 backend happy, we need to
|
|
|
|
# provide a Content-Type; since that isn't specified in
|
|
|
|
# any metadata, we auto-detect it.
|
|
|
|
content_type = magic.from_buffer(copy.deepcopy(io).read()[0:1024], mime=True)
|
|
|
|
if content_type.startswith("image/"):
|
|
|
|
upload_avatar_image(io, user, user, content_type=content_type)
|
|
|
|
do_change_avatar_fields(user, UserProfile.AVATAR_FROM_USER)
|
2019-06-28 00:10:58 +02:00
|
|
|
# Update avatar hash.
|
|
|
|
user.avatar_hash = user_avatar_content_hash(ldap_avatar)
|
|
|
|
user.save(update_fields=["avatar_hash"])
|
2019-06-07 23:36:19 +02:00
|
|
|
else:
|
|
|
|
logging.warning("Could not parse %s field for user %s" %
|
|
|
|
(avatar_attr_name, user.id))
|
2018-12-12 19:46:37 +01:00
|
|
|
|
2019-01-12 17:15:14 +01:00
|
|
|
def is_account_control_disabled_user(self, ldap_user: _LDAPUser) -> bool:
|
2019-03-10 02:43:29 +01:00
|
|
|
"""Implements the userAccountControl check for whether a user has been
|
|
|
|
disabled in an Active Directory server being integrated with
|
|
|
|
Zulip via LDAP."""
|
2018-12-13 23:58:26 +01:00
|
|
|
account_control_value = ldap_user.attrs[settings.AUTH_LDAP_USER_ATTR_MAP['userAccountControl']][0]
|
2018-12-30 01:33:11 +01:00
|
|
|
ldap_disabled = bool(int(account_control_value) & LDAP_USER_ACCOUNT_CONTROL_DISABLED_MASK)
|
2018-12-13 23:58:26 +01:00
|
|
|
return ldap_disabled
|
|
|
|
|
2019-01-16 09:06:11 +01:00
|
|
|
@classmethod
|
|
|
|
def get_mapped_name(cls, ldap_user: _LDAPUser) -> Tuple[str, str]:
|
2019-03-10 02:43:29 +01:00
|
|
|
"""Constructs the user's Zulip full_name and short_name fields from
|
|
|
|
the LDAP data"""
|
2019-01-10 18:25:34 +01:00
|
|
|
if "full_name" in settings.AUTH_LDAP_USER_ATTR_MAP:
|
|
|
|
full_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["full_name"]
|
|
|
|
short_name = full_name = ldap_user.attrs[full_name_attr][0]
|
|
|
|
elif all(key in settings.AUTH_LDAP_USER_ATTR_MAP for key in {"first_name", "last_name"}):
|
|
|
|
first_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["first_name"]
|
|
|
|
last_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["last_name"]
|
|
|
|
short_name = ldap_user.attrs[first_name_attr][0]
|
|
|
|
full_name = short_name + ' ' + ldap_user.attrs[last_name_attr][0]
|
|
|
|
else:
|
|
|
|
raise ZulipLDAPException("Missing required mapping for user's full name")
|
|
|
|
|
|
|
|
if "short_name" in settings.AUTH_LDAP_USER_ATTR_MAP:
|
|
|
|
short_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["short_name"]
|
|
|
|
short_name = ldap_user.attrs[short_name_attr][0]
|
|
|
|
|
|
|
|
return full_name, short_name
|
|
|
|
|
|
|
|
def sync_full_name_from_ldap(self, user_profile: UserProfile,
|
2019-01-12 17:15:14 +01:00
|
|
|
ldap_user: _LDAPUser) -> None:
|
2019-01-10 18:25:34 +01:00
|
|
|
from zerver.lib.actions import do_change_full_name
|
|
|
|
full_name, _ = self.get_mapped_name(ldap_user)
|
|
|
|
if full_name != user_profile.full_name:
|
|
|
|
try:
|
|
|
|
full_name = check_full_name(full_name)
|
|
|
|
except JsonableError as e:
|
|
|
|
raise ZulipLDAPException(e.msg)
|
|
|
|
do_change_full_name(user_profile, full_name, None)
|
|
|
|
|
2019-01-29 13:39:21 +01:00
|
|
|
def sync_custom_profile_fields_from_ldap(self, user_profile: UserProfile,
|
|
|
|
ldap_user: _LDAPUser) -> None:
|
|
|
|
values_by_var_name = {} # type: Dict[str, Union[int, str, List[int]]]
|
|
|
|
for attr, ldap_attr in settings.AUTH_LDAP_USER_ATTR_MAP.items():
|
|
|
|
if not attr.startswith('custom_profile_field__'):
|
|
|
|
continue
|
|
|
|
var_name = attr.split('custom_profile_field__')[1]
|
2019-03-05 09:40:40 +01:00
|
|
|
try:
|
|
|
|
value = ldap_user.attrs[ldap_attr][0]
|
|
|
|
except KeyError:
|
|
|
|
# If this user doesn't have this field set then ignore this
|
|
|
|
# field and continue syncing other fields. `django-auth-ldap`
|
|
|
|
# automatically logs error about missing field.
|
|
|
|
continue
|
2019-01-29 13:39:21 +01:00
|
|
|
values_by_var_name[var_name] = value
|
|
|
|
|
|
|
|
fields_by_var_name = {} # type: Dict[str, CustomProfileField]
|
|
|
|
custom_profile_fields = custom_profile_fields_for_realm(user_profile.realm.id)
|
|
|
|
for field in custom_profile_fields:
|
|
|
|
var_name = '_'.join(field.name.lower().split(' '))
|
|
|
|
fields_by_var_name[var_name] = field
|
|
|
|
|
|
|
|
existing_values = {}
|
|
|
|
for data in user_profile.profile_data:
|
2019-08-04 02:00:19 +02:00
|
|
|
var_name = '_'.join(data['name'].lower().split(' '))
|
2019-01-29 13:39:21 +01:00
|
|
|
existing_values[var_name] = data['value']
|
|
|
|
|
|
|
|
profile_data = [] # type: List[Dict[str, Union[int, str, List[int]]]]
|
|
|
|
for var_name, value in values_by_var_name.items():
|
|
|
|
try:
|
|
|
|
field = fields_by_var_name[var_name]
|
|
|
|
except KeyError:
|
|
|
|
raise ZulipLDAPException('Custom profile field with name %s not found.' % (var_name,))
|
|
|
|
if existing_values.get(var_name) == value:
|
|
|
|
continue
|
|
|
|
result = validate_user_custom_profile_field(user_profile.realm.id, field, value)
|
|
|
|
if result is not None:
|
|
|
|
raise ZulipLDAPException('Invalid data for %s field: %s' % (var_name, result))
|
|
|
|
profile_data.append({
|
|
|
|
'id': field.id,
|
|
|
|
'value': value,
|
|
|
|
})
|
2019-10-01 04:22:50 +02:00
|
|
|
do_update_user_custom_profile_data_if_changed(user_profile, profile_data)
|
2019-01-29 13:39:21 +01:00
|
|
|
|
2018-12-12 19:46:37 +01:00
|
|
|
def get_or_build_user(self, username: str,
|
2019-01-12 17:15:14 +01:00
|
|
|
ldap_user: _LDAPUser) -> Tuple[UserProfile, bool]:
|
2019-03-10 02:43:29 +01:00
|
|
|
"""This is used only in non-authentication contexts such as:
|
|
|
|
./manage.py sync_ldap_user_data
|
|
|
|
In authentication contexts, this is overriden in ZulipLDAPAuthBackend.
|
|
|
|
"""
|
2018-12-12 19:46:37 +01:00
|
|
|
(user, built) = super().get_or_build_user(username, ldap_user)
|
2018-12-30 20:05:14 +01:00
|
|
|
if 'userAccountControl' in settings.AUTH_LDAP_USER_ATTR_MAP:
|
|
|
|
user_disabled_in_ldap = self.is_account_control_disabled_user(ldap_user)
|
2019-08-23 22:02:30 +02:00
|
|
|
if user_disabled_in_ldap:
|
|
|
|
if user.is_active:
|
|
|
|
logging.info("Deactivating user %s because they are disabled in LDAP." %
|
|
|
|
(user.email,))
|
|
|
|
do_deactivate_user(user)
|
|
|
|
# Do an early return to avoid trying to sync additional data.
|
2018-12-30 20:05:14 +01:00
|
|
|
return (user, built)
|
2019-08-23 22:02:30 +02:00
|
|
|
elif not user.is_active:
|
2018-12-30 20:05:14 +01:00
|
|
|
logging.info("Reactivating user %s because they are not disabled in LDAP." %
|
|
|
|
(user.email,))
|
|
|
|
do_reactivate_user(user)
|
2019-08-23 22:02:30 +02:00
|
|
|
|
|
|
|
self.sync_avatar_from_ldap(user, ldap_user)
|
|
|
|
self.sync_full_name_from_ldap(user, ldap_user)
|
|
|
|
self.sync_custom_profile_fields_from_ldap(user, ldap_user)
|
2018-12-12 19:46:37 +01:00
|
|
|
return (user, built)
|
|
|
|
|
2015-10-13 23:08:05 +02:00
|
|
|
class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):
|
2017-09-22 10:58:12 +02:00
|
|
|
REALM_IS_NONE_ERROR = 1
|
|
|
|
|
2019-05-08 02:18:34 +02:00
|
|
|
def authenticate(self, *, username: str, password: str, realm: Realm,
|
2019-01-16 09:59:01 +01:00
|
|
|
prereg_user: Optional[PreregistrationUser]=None,
|
2017-11-21 20:47:26 +01:00
|
|
|
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
|
2017-11-17 23:56:45 +01:00
|
|
|
self._realm = realm
|
2019-01-16 09:59:01 +01:00
|
|
|
self._prereg_user = prereg_user
|
2017-11-21 21:45:32 +01:00
|
|
|
if not ldap_auth_enabled(realm):
|
|
|
|
return None
|
2017-11-17 23:56:45 +01:00
|
|
|
|
2015-10-13 23:08:05 +02:00
|
|
|
try:
|
|
|
|
username = self.django_to_ldap_username(username)
|
2018-05-31 23:10:22 +02:00
|
|
|
except ZulipLDAPExceptionOutsideDomain:
|
2018-10-27 03:19:49 +02:00
|
|
|
if return_data is not None:
|
|
|
|
return_data['outside_ldap_domain'] = True
|
auth: Improve interactions between LDAPAuthBackend and EmailAuthBackend.
Previously, if you had LDAPAuthBackend enabled, we basically blocked
any other auth backends from working at all, by requiring the user's
login flow include verifying the user's LDAP password.
We still want to enforce that in the case that the account email
matches LDAP_APPEND_DOMAIN, but there's a reasonable corner case:
Having effectively guest users from outside the LDAP domain.
We don't want to allow creating a Zulip-level password for a user
inside the LDAP domain, so we still verify the LDAP password in that
flow, but if the email is allowed to register (due to invite or
whatever) but is outside the LDAP domain for the organization, we
allow it to create an account and set a password.
For the moment, this solution only covers EmailAuthBackend. It's
likely that just extending the list of other backends we check for in
the new conditional on `email_auth_backend` would be correct, but we
haven't done any testing for those cases, and with auth code paths,
it's better to disallow than allow untested code paths.
Fixes #9422.
2018-05-29 06:52:06 +02:00
|
|
|
return None
|
2015-10-13 23:08:05 +02:00
|
|
|
|
2019-03-10 02:43:29 +01:00
|
|
|
# Call into (ultimately) the django-auth-ldap authenticate
|
|
|
|
# function. This will check the username/password pair
|
|
|
|
# against the LDAP database, and assuming those are correct,
|
|
|
|
# end up calling `self.get_or_build_user` with the
|
|
|
|
# authenticated user's data from LDAP.
|
2018-05-31 23:10:22 +02:00
|
|
|
return ZulipLDAPAuthBackendBase.authenticate(self,
|
2018-08-01 12:38:41 +02:00
|
|
|
request=None,
|
2018-05-31 23:10:22 +02:00
|
|
|
username=username,
|
|
|
|
password=password)
|
|
|
|
|
2018-05-22 08:33:56 +02:00
|
|
|
def get_or_build_user(self, username: str, ldap_user: _LDAPUser) -> Tuple[UserProfile, bool]:
|
2019-03-10 02:43:29 +01:00
|
|
|
"""The main function of our authentication backend extension of
|
|
|
|
django-auth-ldap. When this is called (from `authenticate`),
|
|
|
|
django-auth-ldap will already have verified that the provided
|
|
|
|
username and password match those in the LDAP database.
|
|
|
|
|
|
|
|
This function's responsibility is to check (1) whether the
|
|
|
|
email address for this user obtained from LDAP has an active
|
|
|
|
account in this Zulip realm. If so, it will log them in.
|
|
|
|
|
|
|
|
Otherwise, to provide a seamless Single Sign-On experience
|
|
|
|
with LDAP, this function can automatically create a new Zulip
|
|
|
|
user account in the realm (assuming the realm is configured to
|
|
|
|
allow that email address to sign up).
|
|
|
|
"""
|
2018-05-31 23:16:03 +02:00
|
|
|
return_data = {} # type: Dict[str, Any]
|
2017-09-10 17:25:24 +02:00
|
|
|
|
2017-11-21 21:48:55 +01:00
|
|
|
if settings.LDAP_EMAIL_ATTR is not None:
|
|
|
|
# Get email from ldap attributes.
|
|
|
|
if settings.LDAP_EMAIL_ATTR not in ldap_user.attrs:
|
2018-05-31 23:16:03 +02:00
|
|
|
return_data["ldap_missing_attribute"] = settings.LDAP_EMAIL_ATTR
|
2017-11-21 21:48:55 +01:00
|
|
|
raise ZulipLDAPException("LDAP user doesn't have the needed %s attribute" % (
|
|
|
|
settings.LDAP_EMAIL_ATTR,))
|
|
|
|
|
|
|
|
username = ldap_user.attrs[settings.LDAP_EMAIL_ATTR][0]
|
2017-09-10 17:25:24 +02:00
|
|
|
|
2018-12-13 23:58:26 +01:00
|
|
|
if 'userAccountControl' in settings.AUTH_LDAP_USER_ATTR_MAP: # nocoverage
|
|
|
|
ldap_disabled = self.is_account_control_disabled_user(ldap_user)
|
|
|
|
if ldap_disabled:
|
|
|
|
# Treat disabled users as deactivated in Zulip.
|
|
|
|
return_data["inactive_user"] = True
|
|
|
|
raise ZulipLDAPException("User has been deactivated")
|
|
|
|
|
2017-11-21 21:52:34 +01:00
|
|
|
user_profile = common_get_active_user(username, self._realm, return_data)
|
2017-11-21 21:57:23 +01:00
|
|
|
if user_profile is not None:
|
|
|
|
# An existing user, successfully authed; return it.
|
|
|
|
return user_profile, False
|
|
|
|
|
2017-11-21 21:52:34 +01:00
|
|
|
if return_data.get("inactive_realm"):
|
2017-11-18 01:13:35 +01:00
|
|
|
# This happens if there is a user account in a deactivated realm
|
2017-11-21 21:52:34 +01:00
|
|
|
raise ZulipLDAPException("Realm has been deactivated")
|
|
|
|
if return_data.get("inactive_user"):
|
2017-11-18 01:07:20 +01:00
|
|
|
raise ZulipLDAPException("User has been deactivated")
|
2019-03-04 13:16:00 +01:00
|
|
|
# An invalid_subdomain `return_data` value here is ignored,
|
|
|
|
# since that just means we're trying to create an account in a
|
|
|
|
# second realm on the server (`ldap_auth_enabled(realm)` would
|
|
|
|
# have been false if this user wasn't meant to have an account
|
|
|
|
# in this second realm).
|
2017-11-18 01:12:05 +01:00
|
|
|
if self._realm.deactivated:
|
2017-11-18 01:13:35 +01:00
|
|
|
# This happens if no account exists, but the realm is
|
|
|
|
# deactivated, so we shouldn't create a new user account
|
2017-11-18 01:12:05 +01:00
|
|
|
raise ZulipLDAPException("Realm has been deactivated")
|
|
|
|
|
2019-03-10 08:57:19 +01:00
|
|
|
# Makes sure that email domain hasn't be restricted for this
|
|
|
|
# realm. The main thing here is email_allowed_for_realm; but
|
|
|
|
# we also call validate_email_for_realm just for consistency,
|
|
|
|
# even though its checks were already done above.
|
|
|
|
try:
|
|
|
|
email_allowed_for_realm(username, self._realm)
|
|
|
|
validate_email_for_realm(self._realm, username)
|
|
|
|
except DomainNotAllowedForRealmError:
|
|
|
|
raise ZulipLDAPException("This email domain isn't allowed in this organization.")
|
|
|
|
except (DisposableEmailError, EmailContainsPlusError):
|
|
|
|
raise ZulipLDAPException("Email validation failed.")
|
|
|
|
|
2017-11-18 01:13:35 +01:00
|
|
|
# We have valid LDAP credentials; time to create an account.
|
2019-01-10 18:25:34 +01:00
|
|
|
full_name, short_name = self.get_mapped_name(ldap_user)
|
2017-11-18 01:12:05 +01:00
|
|
|
try:
|
|
|
|
full_name = check_full_name(full_name)
|
|
|
|
except JsonableError as e:
|
|
|
|
raise ZulipLDAPException(e.msg)
|
|
|
|
|
2019-01-16 09:59:01 +01:00
|
|
|
opts = {} # type: Dict[str, Any]
|
|
|
|
if self._prereg_user:
|
|
|
|
invited_as = self._prereg_user.invited_as
|
|
|
|
opts['prereg_user'] = self._prereg_user
|
|
|
|
opts['is_realm_admin'] = invited_as == PreregistrationUser.INVITE_AS['REALM_ADMIN']
|
|
|
|
opts['is_guest'] = invited_as == PreregistrationUser.INVITE_AS['GUEST_USER']
|
|
|
|
opts['default_stream_groups'] = get_default_stream_groups(self._realm)
|
|
|
|
|
|
|
|
user_profile = do_create_user(username, None, self._realm, full_name, short_name, **opts)
|
2018-12-12 19:46:37 +01:00
|
|
|
self.sync_avatar_from_ldap(user_profile, ldap_user)
|
2019-01-29 13:39:21 +01:00
|
|
|
self.sync_custom_profile_fields_from_ldap(user_profile, ldap_user)
|
2017-11-18 01:12:05 +01:00
|
|
|
|
|
|
|
return user_profile, True
|
2013-11-21 01:30:20 +01:00
|
|
|
|
2015-10-13 23:08:05 +02:00
|
|
|
class ZulipLDAPUserPopulator(ZulipLDAPAuthBackendBase):
|
2019-03-10 02:43:29 +01:00
|
|
|
"""Just like ZulipLDAPAuthBackend, but doesn't let you log in. Used
|
|
|
|
for syncing data like names, avatars, and custom profile fields
|
|
|
|
from LDAP in `manage.py sync_ldap_user_data` as well as in
|
|
|
|
registration for organizations that use a different SSO solution
|
|
|
|
for managing login (often via RemoteUserBackend).
|
|
|
|
"""
|
2019-05-08 02:18:34 +02:00
|
|
|
def authenticate(self, *, username: str, password: str, realm: Realm,
|
2019-05-05 01:04:48 +02:00
|
|
|
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
|
2013-11-21 01:30:20 +01:00
|
|
|
return None
|
2015-08-19 02:58:20 +02:00
|
|
|
|
2019-09-04 10:11:25 +02:00
|
|
|
class PopulateUserLDAPError(ZulipLDAPException):
|
|
|
|
pass
|
|
|
|
|
|
|
|
@receiver(ldap_error, sender=ZulipLDAPUserPopulator)
|
|
|
|
def catch_ldap_error(signal: Signal, **kwargs: Any) -> None:
|
|
|
|
"""
|
|
|
|
Inside django_auth_ldap populate_user(), if LDAPError is raised,
|
|
|
|
e.g. due to invalid connection credentials, the function catches it
|
|
|
|
and emits a signal (ldap_error) to communicate this error to others.
|
|
|
|
We normally don't use signals, but here there's no choice, so in this function
|
|
|
|
we essentially convert the signal to a normal exception that will properly
|
|
|
|
propagate out of django_auth_ldap internals.
|
|
|
|
"""
|
|
|
|
if kwargs['context'] == 'populate_user':
|
|
|
|
# The exception message can contain the password (if it was invalid),
|
|
|
|
# so it seems better not to log that, and only use the original exception's name here.
|
|
|
|
raise PopulateUserLDAPError(kwargs['exception'].__class__.__name__)
|
|
|
|
|
2019-08-26 21:13:23 +02:00
|
|
|
def sync_user_from_ldap(user_profile: UserProfile, logger: logging.Logger) -> bool:
|
2019-01-12 12:32:54 +01:00
|
|
|
backend = ZulipLDAPUserPopulator()
|
|
|
|
updated_user = backend.populate_user(backend.django_to_ldap_username(user_profile.email))
|
2019-08-26 21:13:23 +02:00
|
|
|
if updated_user:
|
|
|
|
logger.info("Updated %s." % (user_profile.email,))
|
|
|
|
return True
|
|
|
|
|
|
|
|
if settings.LDAP_DEACTIVATE_NON_MATCHING_USERS:
|
|
|
|
do_deactivate_user(user_profile)
|
|
|
|
logger.info("Deactivated non-matching user: %s" % (user_profile.email,))
|
|
|
|
return True
|
|
|
|
elif user_profile.is_active:
|
|
|
|
logger.warning("Did not find %s in LDAP." % (user_profile.email,))
|
|
|
|
return False
|
2019-01-12 12:32:54 +01:00
|
|
|
|
2019-03-09 07:52:14 +01:00
|
|
|
# Quick tool to test whether you're correctly authenticating to LDAP
|
2019-03-09 08:32:06 +01:00
|
|
|
def query_ldap(email: str) -> List[str]:
|
|
|
|
values = []
|
|
|
|
backend = next((backend for backend in get_backends() if isinstance(backend, LDAPBackend)), None)
|
|
|
|
if backend is not None:
|
|
|
|
ldap_attrs = _LDAPUser(backend, backend.django_to_ldap_username(email)).attrs
|
|
|
|
if ldap_attrs is None:
|
|
|
|
values.append("No such user found")
|
|
|
|
else:
|
|
|
|
for django_field, ldap_field in settings.AUTH_LDAP_USER_ATTR_MAP.items():
|
|
|
|
value = ldap_attrs.get(ldap_field, ["LDAP field not present", ])[0]
|
|
|
|
if django_field == "avatar":
|
|
|
|
if isinstance(value, bytes):
|
|
|
|
value = "(An avatar image file)"
|
|
|
|
values.append("%s: %s" % (django_field, value))
|
|
|
|
if settings.LDAP_EMAIL_ATTR is not None:
|
|
|
|
values.append("%s: %s" % ('email', ldap_attrs[settings.LDAP_EMAIL_ATTR][0]))
|
|
|
|
else:
|
|
|
|
values.append("LDAP backend not configured on this server.")
|
|
|
|
return values
|
2019-03-09 07:52:14 +01:00
|
|
|
|
2015-08-19 02:58:20 +02:00
|
|
|
class DevAuthBackend(ZulipAuthMixin):
|
2019-03-10 02:43:29 +01:00
|
|
|
"""Allow logging in as any user without a password. This is used for
|
|
|
|
convenience when developing Zulip, and is disabled in production."""
|
2019-05-08 02:18:34 +02:00
|
|
|
def authenticate(self, *, dev_auth_username: str, realm: Realm,
|
2017-11-21 20:47:26 +01:00
|
|
|
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
|
2017-11-21 21:19:58 +01:00
|
|
|
if not dev_auth_enabled(realm):
|
|
|
|
return None
|
2017-11-21 21:20:44 +01:00
|
|
|
return common_get_active_user(dev_auth_username, realm, return_data=return_data)
|
2016-07-20 13:33:27 +02:00
|
|
|
|
2019-04-12 06:24:58 +02:00
|
|
|
def redirect_deactivated_user_to_login() -> HttpResponseRedirect:
|
2019-04-17 21:28:57 +02:00
|
|
|
# Specifying the template name makes sure that the user is not redirected to dev_login in case of
|
|
|
|
# a deactivated account on a test server.
|
|
|
|
login_url = reverse('zerver.views.auth.login_page', kwargs = {'template_name': 'zerver/login.html'})
|
2019-04-12 06:24:58 +02:00
|
|
|
redirect_url = login_url + '?is_deactivated=true'
|
|
|
|
return HttpResponseRedirect(redirect_url)
|
|
|
|
|
2018-05-31 00:12:39 +02:00
|
|
|
def social_associate_user_helper(backend: BaseAuth, return_data: Dict[str, Any],
|
|
|
|
*args: Any, **kwargs: Any) -> Optional[UserProfile]:
|
|
|
|
"""Responsible for doing the Zulip-account lookup and validation parts
|
|
|
|
of the Zulip Social auth pipeline (similar to the authenticate()
|
|
|
|
methods in most other auth backends in this file).
|
2019-03-10 02:43:29 +01:00
|
|
|
|
|
|
|
Returns a UserProfile object for successful authentication, and None otherwise.
|
2018-05-31 00:12:39 +02:00
|
|
|
"""
|
|
|
|
subdomain = backend.strategy.session_get('subdomain')
|
2019-05-04 04:47:44 +02:00
|
|
|
try:
|
|
|
|
realm = get_realm(subdomain)
|
|
|
|
except Realm.DoesNotExist:
|
2018-05-31 00:12:39 +02:00
|
|
|
return_data["invalid_realm"] = True
|
|
|
|
return None
|
2018-07-10 12:29:06 +02:00
|
|
|
return_data["realm_id"] = realm.id
|
2016-11-07 00:09:21 +01:00
|
|
|
|
2018-05-31 00:12:39 +02:00
|
|
|
if not auth_enabled_helper([backend.auth_backend_name], realm):
|
|
|
|
return_data["auth_backend_disabled"] = True
|
|
|
|
return None
|
2016-07-20 13:33:27 +02:00
|
|
|
|
2018-05-31 00:12:39 +02:00
|
|
|
if 'auth_failed_reason' in kwargs.get('response', {}):
|
|
|
|
return_data["social_auth_failed_reason"] = kwargs['response']["auth_failed_reason"]
|
|
|
|
return None
|
2018-06-07 00:19:06 +02:00
|
|
|
elif hasattr(backend, 'get_verified_emails'):
|
2019-03-10 02:43:29 +01:00
|
|
|
# Some social backends, like GitHubAuthBackend, don't
|
|
|
|
# guarantee that the `details` data is validated (i.e., it's
|
|
|
|
# possible users can put any string they want in the "email"
|
|
|
|
# field of the `details` object). For those backends, we have
|
|
|
|
# custom per-backend code to properly fetch only verified
|
|
|
|
# email addresses from the appropriate third-party API.
|
2018-06-07 00:19:06 +02:00
|
|
|
verified_emails = backend.get_verified_emails(*args, **kwargs)
|
2018-07-18 23:45:49 +02:00
|
|
|
verified_emails_length = len(verified_emails)
|
|
|
|
if verified_emails_length == 0:
|
2018-06-07 00:19:06 +02:00
|
|
|
# TODO: Provide a nice error message screen to the user
|
|
|
|
# for this case, rather than just logging a warning.
|
|
|
|
logging.warning("Social auth (%s) failed because user has no verified emails" %
|
|
|
|
(backend.auth_backend_name,))
|
|
|
|
return_data["email_not_verified"] = True
|
|
|
|
return None
|
2018-07-18 23:45:49 +02:00
|
|
|
|
|
|
|
if verified_emails_length == 1:
|
|
|
|
chosen_email = verified_emails[0]
|
|
|
|
else:
|
|
|
|
chosen_email = backend.strategy.request_data().get('email')
|
|
|
|
|
|
|
|
if not chosen_email:
|
2019-08-03 14:15:32 +02:00
|
|
|
avatars = {} # Dict[str, str]
|
|
|
|
for email in verified_emails:
|
|
|
|
existing_account = common_get_active_user(email, realm, {})
|
|
|
|
if existing_account is not None:
|
|
|
|
avatars[email] = avatar_url(existing_account)
|
|
|
|
|
2018-07-18 23:45:49 +02:00
|
|
|
return render(backend.strategy.request, 'zerver/social_auth_select_email.html', context = {
|
|
|
|
'primary_email': verified_emails[0],
|
|
|
|
'verified_non_primary_emails': verified_emails[1:],
|
2019-08-03 14:15:32 +02:00
|
|
|
'backend': 'github',
|
|
|
|
'avatar_urls': avatars,
|
2018-07-18 23:45:49 +02:00
|
|
|
})
|
|
|
|
|
|
|
|
try:
|
|
|
|
validate_email(chosen_email)
|
|
|
|
except ValidationError:
|
|
|
|
return_data['invalid_email'] = True
|
|
|
|
return None
|
|
|
|
|
|
|
|
if chosen_email not in verified_emails:
|
|
|
|
# If a user edits the submit value for the choose email form, we might
|
|
|
|
# end up with a wrong email associated with the account. The below code
|
|
|
|
# takes care of that.
|
|
|
|
logging.warning("Social auth (%s) failed because user has no verified"
|
|
|
|
" emails associated with the account" %
|
|
|
|
(backend.auth_backend_name,))
|
|
|
|
return_data["email_not_associated"] = True
|
|
|
|
return None
|
|
|
|
|
|
|
|
validated_email = chosen_email
|
2019-09-28 01:51:36 +02:00
|
|
|
else:
|
|
|
|
try:
|
|
|
|
validate_email(kwargs["details"].get("email"))
|
|
|
|
except ValidationError:
|
|
|
|
return_data['invalid_email'] = True
|
|
|
|
return None
|
2018-05-31 00:12:39 +02:00
|
|
|
validated_email = kwargs["details"].get("email")
|
|
|
|
|
|
|
|
if not validated_email: # nocoverage
|
|
|
|
# This code path isn't used with GitHubAuthBackend, but may be relevant for other
|
|
|
|
# social auth backends.
|
|
|
|
return_data['invalid_email'] = True
|
|
|
|
return None
|
|
|
|
|
|
|
|
return_data["valid_attestation"] = True
|
|
|
|
return_data['validated_email'] = validated_email
|
|
|
|
user_profile = common_get_active_user(validated_email, realm, return_data)
|
|
|
|
|
2019-09-28 01:49:58 +02:00
|
|
|
full_name = kwargs['details'].get('fullname')
|
|
|
|
first_name = kwargs['details'].get('first_name', '')
|
|
|
|
last_name = kwargs['details'].get('last_name', '')
|
|
|
|
if full_name is None:
|
|
|
|
if not first_name and not last_name:
|
|
|
|
# If we add support for any of the social auth backends that
|
|
|
|
# don't provide this feature, we'll need to add code here.
|
|
|
|
raise AssertionError("Social auth backend doesn't provide name")
|
|
|
|
|
|
|
|
if full_name:
|
|
|
|
return_data["full_name"] = full_name
|
2018-05-31 00:12:39 +02:00
|
|
|
else:
|
2019-09-28 01:49:58 +02:00
|
|
|
# In SAML authentication, the IdP may support only sending
|
|
|
|
# the first and last name as separate attributes - in that case
|
|
|
|
# we construct the full name from them.
|
|
|
|
return_data["full_name"] = "{} {}".format(
|
|
|
|
first_name,
|
|
|
|
last_name
|
|
|
|
).strip() # strip removes the unnecessary ' '
|
2018-05-31 00:12:39 +02:00
|
|
|
|
|
|
|
return user_profile
|
2017-03-09 09:45:21 +01:00
|
|
|
|
2018-07-18 23:45:49 +02:00
|
|
|
@partial
|
2018-05-31 00:12:39 +02:00
|
|
|
def social_auth_associate_user(
|
|
|
|
backend: BaseAuth,
|
|
|
|
*args: Any,
|
2018-07-18 23:45:49 +02:00
|
|
|
**kwargs: Any) -> Union[HttpResponse, Dict[str, Any]]:
|
2019-03-10 02:43:29 +01:00
|
|
|
"""A simple wrapper function to reformat the return data from
|
|
|
|
social_associate_user_helper as a dictionary. The
|
|
|
|
python-social-auth infrastructure will then pass those values into
|
|
|
|
later stages of settings.SOCIAL_AUTH_PIPELINE, such as
|
|
|
|
social_auth_finish, as kwargs.
|
|
|
|
"""
|
2018-07-18 23:45:49 +02:00
|
|
|
partial_token = backend.strategy.request_data().get('partial_token')
|
2018-05-31 00:12:39 +02:00
|
|
|
return_data = {} # type: Dict[str, Any]
|
|
|
|
user_profile = social_associate_user_helper(
|
|
|
|
backend, return_data, *args, **kwargs)
|
|
|
|
|
2018-07-18 23:45:49 +02:00
|
|
|
if type(user_profile) == HttpResponse:
|
|
|
|
return user_profile
|
|
|
|
else:
|
|
|
|
return {'user_profile': user_profile,
|
|
|
|
'return_data': return_data,
|
|
|
|
'partial_token': partial_token,
|
|
|
|
'partial_backend_name': backend}
|
2018-05-31 00:12:39 +02:00
|
|
|
|
|
|
|
def social_auth_finish(backend: Any,
|
|
|
|
details: Dict[str, Any],
|
|
|
|
response: HttpResponse,
|
|
|
|
*args: Any,
|
|
|
|
**kwargs: Any) -> Optional[UserProfile]:
|
2019-03-10 02:43:29 +01:00
|
|
|
"""Given the determination in social_auth_associate_user for whether
|
|
|
|
the user should be authenticated, this takes care of actually
|
|
|
|
logging in the user (if appropriate) and redirecting the browser
|
|
|
|
to the appropriate next page depending on the situation. Read the
|
|
|
|
comments below as well as login_or_register_remote_user in
|
|
|
|
`zerver/views/auth.py` for the details on how that dispatch works.
|
|
|
|
"""
|
2018-05-31 00:12:39 +02:00
|
|
|
from zerver.views.auth import (login_or_register_remote_user,
|
|
|
|
redirect_and_log_into_subdomain)
|
|
|
|
|
|
|
|
user_profile = kwargs['user_profile']
|
|
|
|
return_data = kwargs['return_data']
|
|
|
|
|
2018-06-07 00:19:06 +02:00
|
|
|
no_verified_email = return_data.get("email_not_verified")
|
2018-05-31 00:12:39 +02:00
|
|
|
auth_backend_disabled = return_data.get('auth_backend_disabled')
|
|
|
|
inactive_user = return_data.get('inactive_user')
|
|
|
|
inactive_realm = return_data.get('inactive_realm')
|
|
|
|
invalid_realm = return_data.get('invalid_realm')
|
|
|
|
invalid_email = return_data.get('invalid_email')
|
|
|
|
auth_failed_reason = return_data.get("social_auth_failed_reason")
|
2018-07-18 23:45:49 +02:00
|
|
|
email_not_associated = return_data.get("email_not_associated")
|
2018-05-31 00:12:39 +02:00
|
|
|
|
|
|
|
if invalid_realm:
|
|
|
|
from zerver.views.auth import redirect_to_subdomain_login_url
|
|
|
|
return redirect_to_subdomain_login_url()
|
2019-04-12 06:24:58 +02:00
|
|
|
|
|
|
|
if inactive_user:
|
|
|
|
return redirect_deactivated_user_to_login()
|
|
|
|
|
2018-07-18 23:45:49 +02:00
|
|
|
if auth_backend_disabled or inactive_realm or no_verified_email or email_not_associated:
|
2018-05-31 00:12:39 +02:00
|
|
|
# Redirect to login page. We can't send to registration
|
|
|
|
# workflow with these errors. We will redirect to login page.
|
|
|
|
return None
|
|
|
|
|
|
|
|
if invalid_email:
|
|
|
|
# In case of invalid email, we will end up on registration page.
|
|
|
|
# This seems better than redirecting to login page.
|
|
|
|
logging.warning(
|
|
|
|
"{} got invalid email argument.".format(backend.auth_backend_name)
|
|
|
|
)
|
|
|
|
return None
|
2016-07-20 13:33:27 +02:00
|
|
|
|
2018-05-31 00:12:39 +02:00
|
|
|
if auth_failed_reason:
|
|
|
|
logging.info(auth_failed_reason)
|
|
|
|
return None
|
|
|
|
|
|
|
|
# Structurally, all the cases where we don't have an authenticated
|
|
|
|
# email for the user should be handled above; this assertion helps
|
|
|
|
# prevent any violations of that contract from resulting in a user
|
|
|
|
# being incorrectly authenticated.
|
|
|
|
assert return_data.get('valid_attestation') is True
|
|
|
|
|
2019-08-10 00:30:35 +02:00
|
|
|
strategy = backend.strategy
|
2018-05-31 00:12:39 +02:00
|
|
|
email_address = return_data['validated_email']
|
|
|
|
full_name = return_data['full_name']
|
|
|
|
is_signup = strategy.session_get('is_signup') == '1'
|
|
|
|
redirect_to = strategy.session_get('next')
|
2018-07-10 12:29:06 +02:00
|
|
|
realm = Realm.objects.get(id=return_data["realm_id"])
|
2019-02-08 17:09:25 +01:00
|
|
|
multiuse_object_key = strategy.session_get('multiuse_object_key', '')
|
2018-05-31 00:12:39 +02:00
|
|
|
mobile_flow_otp = strategy.session_get('mobile_flow_otp')
|
2019-03-10 02:43:29 +01:00
|
|
|
|
|
|
|
# At this point, we have now confirmed that the user has
|
|
|
|
# demonstrated control over the target email address.
|
|
|
|
#
|
|
|
|
# The next step is to call login_or_register_remote_user, but
|
|
|
|
# there are two code paths here because of an optimization to save
|
|
|
|
# a redirect on mobile.
|
|
|
|
|
2018-05-31 00:12:39 +02:00
|
|
|
if mobile_flow_otp is not None:
|
2019-03-10 02:43:29 +01:00
|
|
|
# For mobile app authentication, login_or_register_remote_user
|
|
|
|
# will redirect to a special zulip:// URL that is handled by
|
|
|
|
# the app after a successful authentication; so we can
|
|
|
|
# redirect directly from here, saving a round trip over what
|
|
|
|
# we need to do to create session cookies on the right domain
|
|
|
|
# in the web login flow (below).
|
2018-05-31 00:12:39 +02:00
|
|
|
return login_or_register_remote_user(strategy.request, email_address,
|
|
|
|
user_profile, full_name,
|
|
|
|
mobile_flow_otp=mobile_flow_otp,
|
|
|
|
is_signup=is_signup,
|
|
|
|
redirect_to=redirect_to)
|
2019-03-10 02:43:29 +01:00
|
|
|
|
|
|
|
# If this authentication code were executing on
|
|
|
|
# subdomain.zulip.example.com, we would just call
|
|
|
|
# login_or_register_remote_user as in the mobile code path.
|
|
|
|
# However, because third-party SSO providers generally don't allow
|
|
|
|
# wildcard addresses in their redirect URLs, for multi-realm
|
|
|
|
# servers, we will have just completed authentication on e.g.
|
|
|
|
# auth.zulip.example.com (depending on
|
|
|
|
# settings.SOCIAL_AUTH_SUBDOMAIN), which cannot store cookies on
|
|
|
|
# the subdomain.zulip.example.com domain. So instead we serve a
|
|
|
|
# redirect (encoding the authentication result data in a
|
|
|
|
# cryptographically signed token) to a route on
|
|
|
|
# subdomain.zulip.example.com that will verify the signature and
|
|
|
|
# then call login_or_register_remote_user.
|
2018-05-31 00:12:39 +02:00
|
|
|
return redirect_and_log_into_subdomain(realm, full_name, email_address,
|
|
|
|
is_signup=is_signup,
|
2019-02-08 17:09:25 +01:00
|
|
|
redirect_to=redirect_to,
|
|
|
|
multiuse_object_key=multiuse_object_key)
|
2018-05-31 00:12:39 +02:00
|
|
|
|
2018-07-03 18:47:20 +02:00
|
|
|
class SocialAuthMixin(ZulipAuthMixin):
|
2018-10-12 02:35:07 +02:00
|
|
|
auth_backend_name = "undeclared"
|
2019-03-10 09:38:20 +01:00
|
|
|
# Used to determine how to order buttons on login form, backend with
|
|
|
|
# higher sort order are displayed first.
|
2019-03-05 18:30:10 +01:00
|
|
|
sort_order = 0
|
2018-10-12 02:35:07 +02:00
|
|
|
|
2018-07-03 18:47:20 +02:00
|
|
|
def auth_complete(self, *args: Any, **kwargs: Any) -> Optional[HttpResponse]:
|
|
|
|
"""This is a small wrapper around the core `auth_complete` method of
|
|
|
|
python-social-auth, designed primarily to prevent 500s for
|
|
|
|
exceptions in the social auth code from situations that are
|
|
|
|
really user errors. Returning `None` from this function will
|
|
|
|
redirect the browser to the login page.
|
|
|
|
"""
|
|
|
|
try:
|
|
|
|
# Call the auth_complete method of social_core.backends.oauth.BaseOAuth2
|
|
|
|
return super().auth_complete(*args, **kwargs) # type: ignore # monkey-patching
|
|
|
|
except AuthFailed as e:
|
|
|
|
# When a user's social authentication fails (e.g. because
|
|
|
|
# they did something funny with reloading in the middle of
|
|
|
|
# the flow), don't throw a 500, just send them back to the
|
|
|
|
# login page and record the event at the info log level.
|
|
|
|
logging.info(str(e))
|
|
|
|
return None
|
|
|
|
except SocialAuthBaseException as e:
|
|
|
|
# Other python-social-auth exceptions are likely
|
|
|
|
# interesting enough that we should log a warning.
|
|
|
|
logging.warning(str(e))
|
|
|
|
return None
|
|
|
|
|
|
|
|
class GitHubAuthBackend(SocialAuthMixin, GithubOAuth2):
|
2018-05-31 00:12:39 +02:00
|
|
|
auth_backend_name = "GitHub"
|
2019-03-10 09:38:20 +01:00
|
|
|
sort_order = 100
|
2017-03-09 09:45:21 +01:00
|
|
|
|
2018-06-07 00:19:06 +02:00
|
|
|
def get_verified_emails(self, *args: Any, **kwargs: Any) -> List[str]:
|
|
|
|
access_token = kwargs["response"]["access_token"]
|
|
|
|
try:
|
|
|
|
emails = self._user_data(access_token, '/emails')
|
|
|
|
except (HTTPError, ValueError, TypeError): # nocoverage
|
|
|
|
# We don't really need an explicit test for this code
|
|
|
|
# path, since the outcome will be the same as any other
|
|
|
|
# case without any verified emails
|
|
|
|
emails = []
|
|
|
|
|
2018-07-10 12:03:42 +02:00
|
|
|
verified_emails = [] # type: List[str]
|
2018-07-18 23:45:49 +02:00
|
|
|
for email_obj in self.filter_usable_emails(emails):
|
2018-07-10 12:03:42 +02:00
|
|
|
# social_associate_user_helper assumes that the first email in
|
|
|
|
# verified_emails is primary.
|
|
|
|
if email_obj.get("primary"):
|
|
|
|
verified_emails.insert(0, email_obj["email"])
|
|
|
|
else:
|
|
|
|
verified_emails.append(email_obj["email"])
|
2018-06-07 00:19:06 +02:00
|
|
|
|
|
|
|
return verified_emails
|
2016-08-01 13:06:35 +02:00
|
|
|
|
2018-07-18 23:45:49 +02:00
|
|
|
def filter_usable_emails(self, emails: List[Dict[str, Any]]) -> List[Dict[str, Any]]:
|
2019-08-05 15:15:56 +02:00
|
|
|
# We only let users login using email addresses that are
|
|
|
|
# verified by GitHub, because the whole point is for the user
|
|
|
|
# to demonstrate that they control the target email address.
|
|
|
|
# We also disallow the
|
|
|
|
# @noreply.github.com/@users.noreply.github.com email
|
|
|
|
# addresses, because structurally, we only want to allow email
|
|
|
|
# addresses that can receive emails, and those cannot.
|
2018-07-18 23:45:49 +02:00
|
|
|
return [
|
|
|
|
email for email in emails
|
2019-08-05 15:15:56 +02:00
|
|
|
if email.get('verified') and not email["email"].endswith("noreply.github.com")
|
2018-07-18 23:45:49 +02:00
|
|
|
]
|
|
|
|
|
2018-05-31 00:12:39 +02:00
|
|
|
def user_data(self, access_token: str, *args: Any, **kwargs: Any) -> Dict[str, str]:
|
|
|
|
"""This patched user_data function lets us combine together the 3
|
|
|
|
social auth backends into a single Zulip backend for GitHub Oauth2"""
|
2016-08-01 13:06:35 +02:00
|
|
|
team_id = settings.SOCIAL_AUTH_GITHUB_TEAM_ID
|
|
|
|
org_name = settings.SOCIAL_AUTH_GITHUB_ORG_NAME
|
|
|
|
|
2018-05-31 00:12:39 +02:00
|
|
|
if team_id is None and org_name is None:
|
|
|
|
# I believe this can't raise AuthFailed, so we don't try to catch it here.
|
|
|
|
return super().user_data(
|
|
|
|
access_token, *args, **kwargs
|
|
|
|
)
|
|
|
|
elif team_id is not None:
|
2016-08-01 13:06:35 +02:00
|
|
|
backend = GithubTeamOAuth2(self.strategy, self.redirect_uri)
|
|
|
|
try:
|
2018-05-31 00:12:39 +02:00
|
|
|
return backend.user_data(access_token, *args, **kwargs)
|
2016-08-01 13:06:35 +02:00
|
|
|
except AuthFailed:
|
2018-05-31 00:12:39 +02:00
|
|
|
return dict(auth_failed_reason="GitHub user is not member of required team")
|
|
|
|
elif org_name is not None:
|
2016-08-01 13:06:35 +02:00
|
|
|
backend = GithubOrganizationOAuth2(self.strategy, self.redirect_uri)
|
|
|
|
try:
|
2018-05-31 00:12:39 +02:00
|
|
|
return backend.user_data(access_token, *args, **kwargs)
|
2016-08-01 13:06:35 +02:00
|
|
|
except AuthFailed:
|
2018-05-31 00:12:39 +02:00
|
|
|
return dict(auth_failed_reason="GitHub user is not member of required organization")
|
2016-08-01 13:06:35 +02:00
|
|
|
|
2018-05-31 00:12:39 +02:00
|
|
|
raise AssertionError("Invalid configuration")
|
2016-11-06 23:44:45 +01:00
|
|
|
|
2018-10-05 14:32:02 +02:00
|
|
|
class AzureADAuthBackend(SocialAuthMixin, AzureADOAuth2):
|
2019-03-10 09:38:20 +01:00
|
|
|
sort_order = 50
|
2018-10-05 14:32:02 +02:00
|
|
|
auth_backend_name = "AzureAD"
|
|
|
|
|
2019-02-02 16:51:26 +01:00
|
|
|
class GoogleAuthBackend(SocialAuthMixin, GoogleOAuth2):
|
|
|
|
sort_order = 150
|
|
|
|
auth_backend_name = "Google"
|
|
|
|
name = "google"
|
|
|
|
|
|
|
|
def get_verified_emails(self, *args: Any, **kwargs: Any) -> List[str]:
|
|
|
|
verified_emails = [] # type: List[str]
|
|
|
|
details = kwargs["response"]
|
|
|
|
email_verified = details.get("email_verified")
|
|
|
|
if email_verified:
|
|
|
|
verified_emails.append(details["email"])
|
|
|
|
return verified_emails
|
|
|
|
|
2019-09-29 06:32:56 +02:00
|
|
|
class SAMLAuthBackend(SocialAuthMixin, SAMLAuth):
|
|
|
|
auth_backend_name = "SAML"
|
|
|
|
standard_relay_params = ["subdomain", "multiuse_object_key", "mobile_flow_otp",
|
|
|
|
"next", "is_signup"]
|
|
|
|
REDIS_EXPIRATION_SECONDS = 60 * 15
|
|
|
|
|
|
|
|
def auth_url(self) -> str:
|
|
|
|
"""Get the URL to which we must redirect in order to
|
|
|
|
authenticate the user. Overriding the original SAMLAuth.auth_url.
|
|
|
|
Runs when someone accesses the /login/saml/ endpoint."""
|
|
|
|
try:
|
|
|
|
idp_name = self.strategy.request_data()['idp']
|
|
|
|
auth = self._create_saml_auth(idp=self.get_idp(idp_name))
|
|
|
|
except KeyError:
|
|
|
|
# If the above raise KeyError, it means invalid or no idp was specified,
|
|
|
|
# we should log that and redirect to the login page.
|
|
|
|
logging.info("/login/saml/ : Bad idp param.")
|
|
|
|
return reverse('zerver.views.auth.login_page',
|
|
|
|
kwargs = {'template_name': 'zerver/login.html'})
|
|
|
|
|
|
|
|
# This where we change things. We need to pass some params
|
|
|
|
# (`mobile_flow_otp`, `next`, etc.) through RelayState, which
|
|
|
|
# then the IdP will pass back to us so we can read those
|
|
|
|
# parameters in the final part of the authentication flow, at
|
|
|
|
# the /complete/saml/ endpoint.
|
|
|
|
#
|
|
|
|
# To protect against network eavesdropping of these
|
|
|
|
# parameters, we send just a random token to the IdP in
|
|
|
|
# RelayState, which is used as a key into our redis data store
|
|
|
|
# for fetching the actual parameters after the IdP has
|
|
|
|
# returned a successful authentication.
|
|
|
|
params_to_relay = ["idp"] + self.standard_relay_params
|
|
|
|
request_data = self.strategy.request_data().dict()
|
|
|
|
data_to_relay = {
|
|
|
|
key: request_data[key] for key in params_to_relay if key in request_data
|
|
|
|
}
|
|
|
|
relay_state = self.put_data_in_redis(data_to_relay)
|
|
|
|
|
|
|
|
return auth.login(return_to=relay_state)
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
def put_data_in_redis(cls, data_to_relay: Dict[str, Any]) -> str:
|
|
|
|
with redis_client.pipeline() as pipeline:
|
|
|
|
token = generate_random_token(64)
|
|
|
|
key = "saml_token_{}".format(token)
|
|
|
|
pipeline.set(key, ujson.dumps(data_to_relay))
|
|
|
|
pipeline.expire(key, cls.REDIS_EXPIRATION_SECONDS)
|
|
|
|
pipeline.execute()
|
|
|
|
|
|
|
|
return key
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
def get_data_from_redis(cls, key: str) -> Optional[Dict[str, Any]]:
|
|
|
|
redis_data = None
|
|
|
|
if key.startswith('saml_token_'):
|
|
|
|
# Safety if statement, to not allow someone to poke around arbitrary redis keys here.
|
|
|
|
redis_data = redis_client.get(key)
|
|
|
|
if redis_data is None:
|
|
|
|
# TODO: We will need some sort of user-facing message
|
|
|
|
# about the authentication session having expired here.
|
|
|
|
logging.info("SAML authentication failed: bad RelayState token.")
|
|
|
|
return None
|
|
|
|
|
|
|
|
return ujson.loads(redis_data)
|
|
|
|
|
|
|
|
def auth_complete(self, *args: Any, **kwargs: Any) -> Optional[HttpResponse]:
|
|
|
|
"""
|
|
|
|
Additional ugly wrapping on top of auth_complete in SocialAuthMixin.
|
|
|
|
We handle two things here:
|
|
|
|
1. Working around bad RelayState or SAMLResponse parameters in the request.
|
|
|
|
Both parameters should be present if the user came to /complete/saml/ through
|
|
|
|
the IdP as intended. The errors can happen if someone simply types the endpoint into
|
|
|
|
their browsers, or generally tries messing with it in some ways.
|
|
|
|
|
|
|
|
2. The first part of our SAML authentication flow will encode important parameters
|
|
|
|
into the RelayState. We need to read them and set those values in the session,
|
|
|
|
and then change the RelayState param to the idp_name, because that's what
|
|
|
|
SAMLAuth.auth_complete() expects.
|
|
|
|
"""
|
|
|
|
if 'RelayState' not in self.strategy.request_data():
|
|
|
|
logging.info("SAML authentication failed: missing RelayState.")
|
|
|
|
return None
|
|
|
|
|
|
|
|
# Set the relevant params that we transported in the RelayState:
|
|
|
|
redis_key = self.strategy.request_data()['RelayState']
|
|
|
|
relayed_params = self.get_data_from_redis(redis_key)
|
|
|
|
if relayed_params is None:
|
|
|
|
return None
|
|
|
|
|
|
|
|
result = None
|
|
|
|
try:
|
|
|
|
for param, value in relayed_params.items():
|
|
|
|
if param in self.standard_relay_params:
|
|
|
|
self.strategy.session_set(param, value)
|
|
|
|
|
|
|
|
# super().auth_complete expects to have RelayState set to the idp_name,
|
|
|
|
# so we need to replace this param.
|
|
|
|
post_params = self.strategy.request.POST.copy()
|
|
|
|
post_params['RelayState'] = relayed_params["idp"]
|
|
|
|
self.strategy.request.POST = post_params
|
|
|
|
|
|
|
|
# Call the auth_complete method of SocialAuthMixIn
|
|
|
|
result = super().auth_complete(*args, **kwargs) # type: ignore # monkey-patching
|
|
|
|
except OneLogin_Saml2_Error as e:
|
|
|
|
# This will be raised if SAMLResponse is missing.
|
|
|
|
logging.info(str(e))
|
|
|
|
# Fall through to returning None.
|
|
|
|
finally:
|
|
|
|
if result is None:
|
|
|
|
for param in self.standard_relay_params:
|
|
|
|
# If an attacker managed to eavesdrop on the RelayState token,
|
|
|
|
# they may pass it here to the endpoint with an invalid SAMLResponse.
|
|
|
|
# We remove these potentially sensitive parameters that we have set in the session
|
|
|
|
# ealier, to avoid leaking their values.
|
|
|
|
self.strategy.session_set(param, None)
|
|
|
|
|
|
|
|
return result
|
|
|
|
|
2016-11-06 23:44:45 +01:00
|
|
|
AUTH_BACKEND_NAME_MAP = {
|
2017-11-02 08:05:56 +01:00
|
|
|
'Dev': DevAuthBackend,
|
|
|
|
'Email': EmailAuthBackend,
|
|
|
|
'LDAP': ZulipLDAPAuthBackend,
|
|
|
|
'RemoteUser': ZulipRemoteUserBackend,
|
2018-05-10 18:53:55 +02:00
|
|
|
} # type: Dict[str, Any]
|
2019-03-05 18:30:10 +01:00
|
|
|
SOCIAL_AUTH_BACKENDS = [] # type: List[BaseOAuth2]
|
2018-10-12 01:58:01 +02:00
|
|
|
|
|
|
|
# Authomatically add all of our social auth backends to relevant data structures.
|
|
|
|
for social_auth_subclass in SocialAuthMixin.__subclasses__():
|
|
|
|
AUTH_BACKEND_NAME_MAP[social_auth_subclass.auth_backend_name] = social_auth_subclass
|
2019-09-19 03:14:12 +02:00
|
|
|
SOCIAL_AUTH_BACKENDS.append(social_auth_subclass)
|
2019-02-02 16:51:26 +01:00
|
|
|
|
|
|
|
# Provide this alternative name for backwards compatibility with
|
|
|
|
# installations that had the old backend enabled.
|
|
|
|
GoogleMobileOauth2Backend = GoogleAuthBackend
|