Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/zproject/backends.py

579 lines
24 KiB
Python
Raw Normal View History

Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
import logging
zproject: Change use of typing.Text to str.
2018-05-10 18:53:55 +02:00
from typing import Any, Dict, List, Set, Tuple, Optional
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
backends: Sort imports.
2017-10-24 17:59:39 +02:00
from apiclient.sample_tools import client as googleapiclient
from django_auth_ldap.backend import LDAPBackend, _LDAPUser
import django.contrib.auth
SSO / REMOTE_USER support (imported from commit 4f4fad7af5d3c6099cac95d7708338c182626d72)
2013-11-04 23:16:46 +01:00
from django.contrib.auth.backends import RemoteUserBackend
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
from django.conf import settings
backends: Sort imports.
2017-10-24 17:59:39 +02:00
from django.http import HttpResponse
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
from oauth2client.crypt import AppIdentityError
requirements: Upgrade python-social-auth to latest version Fixes #3403
2017-01-21 16:52:59 +01:00
from social_core.backends.github import GithubOAuth2, GithubOrganizationOAuth2, \
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
GithubTeamOAuth2
github: Override get_authenticated_user. Now we have moved the `do_auth` function to `SocialAuthMixin`. Instead of overriding `do_auth`, derived class is now expected to override `get_authenticated_user`. `do_auth` now contains code which is expected by all backends.
2017-11-17 07:53:52 +01:00
from social_core.utils import handle_http_errors
Handle social auth exception in auth_complete. In case of an exception, we log it and return None which results in a redirect to the login page.
2017-03-07 08:32:40 +01:00
from social_core.exceptions import AuthFailed, SocialAuthBaseException
github: Pass proper parameters to authenticate. Django tries to authenticate against all backends one by one. The authenticate() function of GitHub backend used to take *args and **kwargs arguments due to which it could be called against any set of arguments. Django uses arguments to differentiate authenticate() methods.
2017-03-24 10:48:52 +01:00
from social_django.models import DjangoStorage
from social_django.strategy import DjangoStrategy
backends: Sort imports.
2017-10-24 17:59:39 +02:00
from zerver.lib.actions import do_create_user
from zerver.lib.request import JsonableError
subdomains: Refactor check_subdomain to a clearer interface. Now that every call site of check_subdomain produces its second argument in exactly the same way, push that shared bit of logic into a new wrapper for check_subdomain. Also give that new function a name that says more specifically what it's checking -- which I think is easier to articulate for this interface than for that of check_subdomain.
2017-10-20 02:53:24 +02:00
from zerver.lib.subdomains import user_matches_subdomain, get_subdomain
backends: Sort imports.
2017-10-24 17:59:39 +02:00
from zerver.lib.users import check_full_name
from zerver.models import UserProfile, Realm, get_user_profile_by_id, \
backends: Remove assumption that only one user can have a given email. I probably should have just done this in the original implementation; there's only a small downside in the form of an extra database query when trying to authenticate a user who doesn't exist.
2017-11-22 20:23:54 +01:00
remote_user_to_email, email_to_username, get_realm, get_user
backends: Sort imports.
2017-10-24 17:59:39 +02:00
zproject: Change use of typing.Text to str.
2018-05-10 18:53:55 +02:00
def pad_method_dict(method_dict: Dict[str, bool]) -> Dict[str, bool]:
auth: Refactor auth backend enabled checking code.
2016-11-06 23:44:45 +01:00
"""Pads an authentication methods dict to contain all auth backends
supported by the software, regardless of whether they are
configured on this server"""
for key in AUTH_BACKEND_NAME_MAP:
if key not in method_dict:
method_dict[key] = False
return method_dict
zproject: Change use of typing.Text to str.
2018-05-10 18:53:55 +02:00
def auth_enabled_helper(backends_to_check: List[str], realm: Optional[Realm]) -> bool:
auth: Make supported authentication backends a bitfield on realm. This makes it possible to configure only certain authentication methods to be enabled on a per-realm basis. Note that the authentication_methods_dict function (which checks what backends are supported on the realm) requires an in function import due to a circular dependency.
2016-11-02 21:41:10 +01:00
if realm is not None:
enabled_method_dict = realm.authentication_methods_dict()
pad_method_dict(enabled_method_dict)
else:
enabled_method_dict = dict((method, True) for method in Realm.AUTHENTICATION_FLAGS)
pad_method_dict(enabled_method_dict)
auth: Refactor auth backend enabled checking code.
2016-11-06 23:44:45 +01:00
for supported_backend in django.contrib.auth.get_backends():
for backend_name in backends_to_check:
backend = AUTH_BACKEND_NAME_MAP[backend_name]
if enabled_method_dict[backend_name] and isinstance(supported_backend, backend):
return True
Disable password change when SSO is the only login option (imported from commit fd1a14237e2d6ea574331ed178bfc0db5beb18c6)
2013-11-04 23:42:31 +01:00
return False
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def ldap_auth_enabled(realm: Optional[Realm]=None) -> bool:
zproject: Remove u prefix from strings.
2017-11-02 08:05:56 +01:00
return auth_enabled_helper(['LDAP'], realm)
auth: Separate email_auth_enabled from ldap_auth_enabled.
2016-11-07 00:04:59 +01:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def email_auth_enabled(realm: Optional[Realm]=None) -> bool:
zproject: Remove u prefix from strings.
2017-11-02 08:05:56 +01:00
return auth_enabled_helper(['Email'], realm)
auth: Separate email_auth_enabled from ldap_auth_enabled.
2016-11-07 00:04:59 +01:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def password_auth_enabled(realm: Optional[Realm]=None) -> bool:
auth: Separate email_auth_enabled from ldap_auth_enabled.
2016-11-07 00:04:59 +01:00
return ldap_auth_enabled(realm) or email_auth_enabled(realm)
Add a new dev login page for logging in without a password on the dev VM. (imported from commit ac8f2504771c9907b7e92dc91cec5f7220ce951b)
2015-08-19 02:58:20 +02:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def dev_auth_enabled(realm: Optional[Realm]=None) -> bool:
zproject: Remove u prefix from strings.
2017-11-02 08:05:56 +01:00
return auth_enabled_helper(['Dev'], realm)
auth: Refactor auth backend enabled checking code.
2016-11-06 23:44:45 +01:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def google_auth_enabled(realm: Optional[Realm]=None) -> bool:
zproject: Remove u prefix from strings.
2017-11-02 08:05:56 +01:00
return auth_enabled_helper(['Google'], realm)
auth: Refactor auth backend enabled checking code.
2016-11-06 23:44:45 +01:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def github_auth_enabled(realm: Optional[Realm]=None) -> bool:
zproject: Remove u prefix from strings.
2017-11-02 08:05:56 +01:00
return auth_enabled_helper(['GitHub'], realm)
Add a new dev login page for logging in without a password on the dev VM. (imported from commit ac8f2504771c9907b7e92dc91cec5f7220ce951b)
2015-08-19 02:58:20 +02:00
auth: Report to mobile apps the availability of RemoteUserBackend. This is necessary for mobile apps to do the right thing when only RemoteUserBackend is enabled, namely, directly redirect to the third-party SSO auth site as soon as the user enters the server URL (no need to display a login form, since it'll be useless).
2018-02-06 23:36:56 +01:00
def remote_auth_enabled(realm: Optional[Realm]=None) -> bool:
return auth_enabled_helper(['RemoteUser'], realm)
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def any_oauth_backend_enabled(realm: Optional[Realm]=None) -> bool:
Redesign login and registration pages. This completes a major redesign of the Zulip login and registration pages, making them look much more slick and modern. Major features include: * Display of the realm name, description and icon on the login page and registration pages in the subdomains case. * Much slicker looking buttons and input fields. * A new overall style for the exterior of these portico pages.
2017-04-20 21:02:56 +02:00
"""Used by the login page process to determine whether to show the
'OR' for login with Google"""
zproject: Remove u prefix from strings.
2017-11-02 08:05:56 +01:00
return auth_enabled_helper(['GitHub', 'Google'], realm)
Redesign login and registration pages. This completes a major redesign of the Zulip login and registration pages, making them look much more slick and modern. Major features include: * Display of the realm name, description and icon on the login page and registration pages in the subdomains case. * Much slicker looking buttons and input fields. * A new overall style for the exterior of these portico pages.
2017-04-20 21:02:56 +02:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def require_email_format_usernames(realm: Optional[Realm]=None) -> bool:
backends.py: Expose backends that require email usernames
2017-09-15 16:59:03 +02:00
if ldap_auth_enabled(realm):
if settings.LDAP_EMAIL_ATTR or settings.LDAP_APPEND_DOMAIN:
return False
return True
auth: Rewrite DummyAuthBackend to not block email reuse. This require some care to ensure we still provide the same nice error messages for the case of a user who has an account, just not with this organization. Also, we fix the fact that the docstring was (and I think always has been) at best confusing and perhaps even inaccurate.
2017-11-17 22:43:16 +01:00
def common_get_active_user(email: str, realm: Realm,
return_data: Dict[str, Any]=None) -> Optional[UserProfile]:
try:
user_profile = get_user(email, realm)
except UserProfile.DoesNotExist:
# If the user doesn't have an account in the target realm, we
# check whether they might have an account in another realm,
# and if so, provide a helpful error message via
# `invalid_subdomain`.
backends: Remove assumption that only one user can have a given email. I probably should have just done this in the original implementation; there's only a small downside in the form of an extra database query when trying to authenticate a user who doesn't exist.
2017-11-22 20:23:54 +01:00
if not UserProfile.objects.filter(email__iexact=email).exists():
auth: Rewrite DummyAuthBackend to not block email reuse. This require some care to ensure we still provide the same nice error messages for the case of a user who has an account, just not with this organization. Also, we fix the fact that the docstring was (and I think always has been) at best confusing and perhaps even inaccurate.
2017-11-17 22:43:16 +01:00
return None
if return_data is not None:
return_data['invalid_subdomain'] = True
return None
if not user_profile.is_active:
if return_data is not None:
forms: Stop using get_user_profile_by_email in OurAuthenticationForm. Structurally, the main change here is replacing the `clean_username` function, which would get called when one accessed self.cleaned_data['username'] with code in the main `clean` function. This is important because only in `clean` do we have access to the `realm` object. Since I recently added full test coverage on this form, we know each of the major cases have a test; the error messages are unchanged.
2017-11-18 02:03:36 +01:00
if user_profile.is_mirror_dummy:
# Record whether it's a mirror dummy account
return_data['is_mirror_dummy'] = True
auth: Rewrite DummyAuthBackend to not block email reuse. This require some care to ensure we still provide the same nice error messages for the case of a user who has an account, just not with this organization. Also, we fix the fact that the docstring was (and I think always has been) at best confusing and perhaps even inaccurate.
2017-11-17 22:43:16 +01:00
return_data['inactive_user'] = True
return None
if user_profile.realm.deactivated:
if return_data is not None:
return_data['inactive_realm'] = True
return None
return user_profile
zproject: Remove inheritance from object.
2017-11-05 11:31:53 +01:00
class ZulipAuthMixin:
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def get_user(self, user_profile_id: int) -> Optional[UserProfile]:
Factor out get_user in zproject/backends.py (imported from commit d60b5440722ed596ffbcb81086b2f62d535288dd)
2013-11-01 20:22:12 +01:00
""" Get a UserProfile object from the user_profile_id. """
try:
return get_user_profile_by_id(user_profile_id)
except UserProfile.DoesNotExist:
return None
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
class SocialAuthMixin(ZulipAuthMixin):
zproject: Change use of typing.Text to str.
2018-05-10 18:53:55 +02:00
auth_backend_name = None # type: str
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
zproject: Change use of typing.Text to str.
2018-05-10 18:53:55 +02:00
def get_email_address(self, *args: Any, **kwargs: Any) -> str:
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
raise NotImplementedError
zproject: Change use of typing.Text to str.
2018-05-10 18:53:55 +02:00
def get_full_name(self, *args: Any, **kwargs: Any) -> str:
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
raise NotImplementedError
github: Override get_authenticated_user. Now we have moved the `do_auth` function to `SocialAuthMixin`. Instead of overriding `do_auth`, derived class is now expected to override `get_authenticated_user`. `do_auth` now contains code which is expected by all backends.
2017-11-17 07:53:52 +01:00
def get_authenticated_user(self, *args: Any, **kwargs: Any) -> Optional[UserProfile]:
raise NotImplementedError
@handle_http_errors
def do_auth(self, *args: Any, **kwargs: Any) -> Optional[HttpResponse]:
"""
This function is called once the authentication workflow is complete.
We override this function to:
1. Inject `return_data` and `realm_subdomain` kwargs. These will be
used by `authenticate()` functions of backends to make the
decision.
2. Call the proper authentication function to get the user in
`get_authenticated_user`.
The actual decision on authentication is done in
SocialAuthMixin._common_authenticate().
SocialAuthMixin.get_authenticated_user is expected to be overridden by
the derived class to add custom logic for authenticating the user and
returning the user.
"""
kwargs['return_data'] = {}
auth: Convert SocialAuthMixin to accept a realm object.
2017-11-21 23:48:40 +01:00
subdomain = self.strategy.session_get('subdomain') # type: ignore # `strategy` comes from Python Social Auth.
realm = get_realm(subdomain)
kwargs['realm'] = realm
github: Override get_authenticated_user. Now we have moved the `do_auth` function to `SocialAuthMixin`. Instead of overriding `do_auth`, derived class is now expected to override `get_authenticated_user`. `do_auth` now contains code which is expected by all backends.
2017-11-17 07:53:52 +01:00
user_profile = self.get_authenticated_user(*args, **kwargs)
return self.process_do_auth(user_profile, *args, **kwargs)
github: Pass proper parameters to authenticate. Django tries to authenticate against all backends one by one. The authenticate() function of GitHub backend used to take *args and **kwargs arguments due to which it could be called against any set of arguments. Django uses arguments to differentiate authenticate() methods.
2017-03-24 10:48:52 +01:00
def authenticate(self,
auth: Convert SocialAuthMixin to accept a realm object.
2017-11-21 23:48:40 +01:00
realm: Optional[Realm]=None,
backends: Convert authenticate methods to modern type annotations.
2017-11-21 20:47:26 +01:00
storage: Optional[DjangoStorage]=None,
strategy: Optional[DjangoStrategy]=None,
user: Optional[Dict[str, Any]]=None,
return_data: Optional[Dict[str, Any]]=None,
response: Optional[Dict[str, Any]]=None,
backend: Optional[GithubOAuth2]=None
) -> Optional[UserProfile]:
github: Pass proper parameters to authenticate. Django tries to authenticate against all backends one by one. The authenticate() function of GitHub backend used to take *args and **kwargs arguments due to which it could be called against any set of arguments. Django uses arguments to differentiate authenticate() methods.
2017-03-24 10:48:52 +01:00
"""
Django decides which `authenticate` to call by inspecting the
arguments. So it's better to create `authenticate` function
with well defined arguments.
Keeping this function separate so that it can easily be
overridden.
"""
if user is None:
user = {}
subdomains: Hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-02 08:32:09 +02:00
assert return_data is not None
assert response is not None
github: Pass proper parameters to authenticate. Django tries to authenticate against all backends one by one. The authenticate() function of GitHub backend used to take *args and **kwargs arguments due to which it could be called against any set of arguments. Django uses arguments to differentiate authenticate() methods.
2017-03-24 10:48:52 +01:00
return self._common_authenticate(self,
auth: Convert SocialAuthMixin to accept a realm object.
2017-11-21 23:48:40 +01:00
realm=realm,
github: Pass proper parameters to authenticate. Django tries to authenticate against all backends one by one. The authenticate() function of GitHub backend used to take *args and **kwargs arguments due to which it could be called against any set of arguments. Django uses arguments to differentiate authenticate() methods.
2017-03-24 10:48:52 +01:00
storage=storage,
strategy=strategy,
user=user,
return_data=return_data,
response=response,
backend=backend)
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def _common_authenticate(self, *args: Any, **kwargs: Any) -> Optional[UserProfile]:
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
return_data = kwargs.get('return_data', {})
auth: Convert SocialAuthMixin to accept a realm object.
2017-11-21 23:48:40 +01:00
realm = kwargs.get("realm")
if realm is None:
return None
auth: Move check for social backend earlier. This better fits the flow that we use in other auth backends.
2017-11-21 23:50:06 +01:00
if not auth_enabled_helper([self.auth_backend_name], realm):
return_data["auth_backend_disabled"] = True
return None
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
email_address = self.get_email_address(*args, **kwargs)
if not email_address:
github: Redirect to login page if invalid email.
2017-03-23 06:02:07 +01:00
return_data['invalid_email'] = True
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
return None
auth: Set valid_attestation more unconditionally in social auth.
2017-11-22 00:41:18 +01:00
return_data["valid_attestation"] = True
auth: Convert SocialAuthMixin to use new helper. This is a pure refactor at this point.
2017-11-21 23:51:22 +01:00
return common_get_active_user(email_address, realm, return_data)
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def process_do_auth(self, user_profile: UserProfile, *args: Any,
**kwargs: Any) -> Optional[HttpResponse]:
backends.py: Update comment in process_do_auth.
2017-03-23 05:01:39 +01:00
# These functions need to be imported here to avoid cyclic
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
# dependency.
subdomains: Make GitHub login work with subdomains. Fixes #2501.
2016-12-01 13:10:59 +01:00
from zerver.views.auth import (login_or_register_remote_user,
views: Move some login code from `registration` to `auth`. Most of these have more to do with authentication in general than with registering a new account. `create_preregistration_user` could go either way; we move it to `auth` so we can make the imports go only in one direction.
2017-10-27 00:27:59 +02:00
redirect_to_subdomain_login_url,
redirect_and_log_into_subdomain)
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
return_data = kwargs.get('return_data', {})
inactive_user = return_data.get('inactive_user')
inactive_realm = return_data.get('inactive_realm')
GitHub: Show error on login page for wrong subdomain. While logging in through GitHub, if the user tries to login to the wrong subdomain then show an appropriate message.
2016-10-07 11:10:21 +02:00
invalid_subdomain = return_data.get('invalid_subdomain')
github: Redirect to login page if invalid email.
2017-03-23 06:02:07 +01:00
invalid_email = return_data.get('invalid_email')
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
github: Go to registration if email is invalid.
2017-03-24 11:00:58 +01:00
if inactive_user or inactive_realm:
github: Redirect to login page if invalid email.
2017-03-23 06:02:07 +01:00
# Redirect to login page. We can't send to registration
github: Go to registration if email is invalid.
2017-03-24 11:00:58 +01:00
# workflow with these errors. We will redirect to login page.
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
return None
github: Go to registration if email is invalid.
2017-03-24 11:00:58 +01:00
if invalid_email:
# In case of invalid email, we will end up on registration page.
# This seems better than redirecting to login page.
logging.warning(
"{} got invalid email argument.".format(self.auth_backend_name)
)
auth: Improve logic for invalid GitHub emails. This deletes the old mock-covered test for this, which was mostly useless. We have a much less messy test, which we extend to provide the same test coverage the old one did. While the result was the same before, this makes it more obvious.
2017-11-22 01:14:55 +01:00
return None
github: Redirect to login page if invalid email.
2017-03-23 06:02:07 +01:00
subdomains: Make GitHub login work with subdomains. Fixes #2501.
2016-12-01 13:10:59 +01:00
strategy = self.strategy # type: ignore # This comes from Python Social Auth.
request = strategy.request
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
email_address = self.get_email_address(*args, **kwargs)
full_name = self.get_full_name(*args, **kwargs)
auth: Pass is_signup option around.
2017-05-05 19:54:36 +02:00
is_signup = strategy.session_get('is_signup') == '1'
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
redirect_to = strategy.session_get('next')
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
backend: Add support for mobile_flow_otp in social auth. It turns out that very little code change is required to support GitHub auth on mobile. Ideally, this would come with tests, though the complicated part of the code path is covered by the Google auth version. But writing a test for this would take a long time, and I think it's worth having the feature now, so I'll be doing tests as a follow-up project.
2017-09-30 00:30:55 +02:00
mobile_flow_otp = strategy.session_get('mobile_flow_otp')
subdomains: Clean up a use of various falsy values for the root domain. This isn't a complete cleanup of the logic at this spot, but at least the messy part that remains is now explicit.
2017-10-26 02:48:21 +02:00
subdomain = strategy.session_get('subdomain')
auth: Fix incorrect use of get_realm_from_request. The code in maybe_send_to_registration incorrectly used the `get_realm_from_request` function to fetch the subdomain. This usage was incorrect in a way that should have been irrelevant, because that function only differs if there's a logged-in user, and in this code path, a user is never logged in (it's the code path for logged-out users trying to sign up). This this bug could confuse unit tests that might run with a logged-in client session. This made it possible for several of our GitHub auth tests to have a totally invalid subdomain value (the root domain). Fixing that bug in the tests, in turn, let us delete a code path in the GitHub auth backend logic in `backends.py` that is impossible in production, and had just been left around for these broken tests.
2018-04-23 01:08:44 +02:00
assert subdomain is not None
if mobile_flow_otp is not None:
subdomains: Make GitHub login work with subdomains. Fixes #2501.
2016-12-01 13:10:59 +01:00
return login_or_register_remote_user(request, email_address,
user_profile, full_name,
auth: Pass is_signup option around.
2017-05-05 19:54:36 +02:00
invalid_subdomain=bool(invalid_subdomain),
backend: Add support for mobile_flow_otp in social auth. It turns out that very little code change is required to support GitHub auth on mobile. Ideally, this would come with tests, though the complicated part of the code path is covered by the Google auth version. But writing a test for this would take a long time, and I think it's worth having the feature now, so I'll be doing tests as a follow-up project.
2017-09-30 00:30:55 +02:00
mobile_flow_otp=mobile_flow_otp,
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
is_signup=is_signup,
test_auth_backends: Add a test for GitHub auth mobile_flow_otp.
2018-04-23 04:53:48 +02:00
redirect_to=redirect_to)
social auth: Replace a bit of explicit model-querying with get_realm.
2017-10-20 03:27:53 +02:00
realm = get_realm(subdomain)
if realm is None:
subdomains: Make GitHub login work with subdomains. Fixes #2501.
2016-12-01 13:10:59 +01:00
return redirect_to_subdomain_login_url()
auth: Pass is_signup option around.
2017-05-05 19:54:36 +02:00
return redirect_and_log_into_subdomain(realm, full_name, email_address,
auth.py: Make redirects to 'next' url work for google and github. In this commit we start to support redirects to urls supplied as a 'next' param for the following two backends: * GoogleOAuth2 based backend. * GitHubAuthBackend.
2018-03-12 12:54:50 +01:00
is_signup=is_signup,
redirect_to=redirect_to)
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def auth_complete(self, *args: Any, **kwargs: Any) -> Optional[HttpResponse]:
github: Add docstrings to functions. Docstring added to: * auth_complete * do_auth
2017-03-23 05:46:10 +01:00
"""
Returning `None` from this function will redirect the browser
to the login page.
"""
backend: Handle GitHub authentication failure. In case of AuthFailed exception return None.
2017-02-28 11:58:03 +01:00
try:
cleanup: Fix comment in SocialAuthMixin.auth_complete.
2017-10-12 08:05:21 +02:00
# Call the auth_complete method of social_core.backends.oauth.BaseOAuth2
refactor: Replace super(.*self) with Python 3-specific super(). We change all the instances except for the `test_helpers.py` TimeTrackingCursor monkey-patching, which actually needs to specify the base class.
2017-10-27 08:28:23 +02:00
return super().auth_complete(*args, **kwargs) # type: ignore # monkey-patching
backend: Handle GitHub authentication failure. In case of AuthFailed exception return None.
2017-02-28 11:58:03 +01:00
except AuthFailed:
return None
Handle social auth exception in auth_complete. In case of an exception, we log it and return None which results in a redirect to the login page.
2017-03-07 08:32:40 +01:00
except SocialAuthBaseException as e:
ldap: Change logging level to warning. Fixes #6960.
2017-10-13 08:26:50 +02:00
logging.warning(str(e))
Handle social auth exception in auth_complete. In case of an exception, we log it and return None which results in a redirect to the login page.
2017-03-07 08:32:40 +01:00
return None
backend: Handle GitHub authentication failure. In case of AuthFailed exception return None.
2017-02-28 11:58:03 +01:00
Use LDAP-provided information if available for real names If authoritative data is available from say the LDAP database, we now ignore the POSTed user name, and don't offer it as a form field. We fall back to giving the user a text field if they aren't in LDAP. If users do not have any form fields to fill out, we simply bring them to the app without the registration page, logging them in using a dummy backend. (imported from commit 6bee87430ba46ff753ea3408251e8a80c45c713f)
2013-11-21 04:57:23 +01:00
class ZulipDummyBackend(ZulipAuthMixin):
"""
auth: Rewrite DummyAuthBackend to not block email reuse. This require some care to ensure we still provide the same nice error messages for the case of a user who has an account, just not with this organization. Also, we fix the fact that the docstring was (and I think always has been) at best confusing and perhaps even inaccurate.
2017-11-17 22:43:16 +01:00
Used when we want to log you in without checking any
authentication (i.e. new user registration or when otherwise
authentication has already been checked earlier in the process).
Use LDAP-provided information if available for real names If authoritative data is available from say the LDAP database, we now ignore the POSTed user name, and don't offer it as a form field. We fall back to giving the user a text field if they aren't in LDAP. If users do not have any form fields to fill out, we simply bring them to the app without the registration page, logging them in using a dummy backend. (imported from commit 6bee87430ba46ff753ea3408251e8a80c45c713f)
2013-11-21 04:57:23 +01:00
"""
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
auth: Rewrite DummyAuthBackend to not block email reuse. This require some care to ensure we still provide the same nice error messages for the case of a user who has an account, just not with this organization. Also, we fix the fact that the docstring was (and I think always has been) at best confusing and perhaps even inaccurate.
2017-11-17 22:43:16 +01:00
def authenticate(self, username: Optional[str]=None, realm: Optional[Realm]=None,
backends: Convert authenticate methods to modern type annotations.
2017-11-21 20:47:26 +01:00
use_dummy_backend: bool=False,
auth: Rewrite DummyAuthBackend to not block email reuse. This require some care to ensure we still provide the same nice error messages for the case of a user who has an account, just not with this organization. Also, we fix the fact that the docstring was (and I think always has been) at best confusing and perhaps even inaccurate.
2017-11-17 22:43:16 +01:00
return_data: Dict[str, Any]=None) -> Optional[UserProfile]:
Use LDAP-provided information if available for real names If authoritative data is available from say the LDAP database, we now ignore the POSTed user name, and don't offer it as a form field. We fall back to giving the user a text field if they aren't in LDAP. If users do not have any form fields to fill out, we simply bring them to the app without the registration page, logging them in using a dummy backend. (imported from commit 6bee87430ba46ff753ea3408251e8a80c45c713f)
2013-11-21 04:57:23 +01:00
if use_dummy_backend:
auth: Rewrite DummyAuthBackend to not block email reuse. This require some care to ensure we still provide the same nice error messages for the case of a user who has an account, just not with this organization. Also, we fix the fact that the docstring was (and I think always has been) at best confusing and perhaps even inaccurate.
2017-11-17 22:43:16 +01:00
# These are kwargs only for readability; they should never be None
assert username is not None
assert realm is not None
return common_get_active_user(username, realm, return_data)
Use LDAP-provided information if available for real names If authoritative data is available from say the LDAP database, we now ignore the POSTed user name, and don't offer it as a form field. We fall back to giving the user a text field if they aren't in LDAP. If users do not have any form fields to fill out, we simply bring them to the app without the registration page, logging them in using a dummy backend. (imported from commit 6bee87430ba46ff753ea3408251e8a80c45c713f)
2013-11-21 04:57:23 +01:00
return None
Factor out get_user in zproject/backends.py (imported from commit d60b5440722ed596ffbcb81086b2f62d535288dd)
2013-11-01 20:22:12 +01:00
class EmailAuthBackend(ZulipAuthMixin):
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
"""
Email Authentication Backend
Allows a user to sign in using an email/password pair rather than
a username/password pair.
"""
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
backends: Convert authenticate methods to modern type annotations.
2017-11-21 20:47:26 +01:00
def authenticate(self, username: Optional[str]=None, password: Optional[str]=None,
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
realm: Optional[Realm]=None,
backends: Convert authenticate methods to modern type annotations.
2017-11-21 20:47:26 +01:00
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
""" Authenticate a user based on email address as the user name. """
if username is None or password is None:
EmailAuthBackend: Convert a return to assert for a now-impossible case.
2017-11-21 21:32:42 +01:00
# Because of how we structure our auth calls to always
# specify which backend to use when not using
# EmailAuthBackend, username and password should always be set.
raise AssertionError("Invalid call to authenticate for EmailAuthBackend")
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
if realm is None:
return None
if not password_auth_enabled(realm):
Improve api_fetch_api_key error messages. Previously, api_fetch_api_key would not give clear error messages if password auth was disabled or the user's realm had been deactivated; additionally, the account disabled error stopped triggering when we moved the active account check into the auth decorators.
2016-04-21 21:07:43 +02:00
if return_data is not None:
return_data['password_auth_disabled'] = True
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
return None
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
if not email_auth_enabled(realm):
auth: Separate email_auth_enabled from ldap_auth_enabled.
2016-11-07 00:04:59 +01:00
if return_data is not None:
return_data['email_auth_disabled'] = True
return None
auth: Move checks for password_auth_enabled earlier. This way, we don't attempt to evaluate whether the user's account is active (etc.) until after we've checked the backend is enabled. This won't change the result of actual auth, but feels more readable.
2017-11-21 21:39:56 +01:00
auth: Convert EmailAuthBackend to use new helper. This lets us delete some duplicate code, since common_get_active_user handles an account in the wrong subdomain for us. Also lets us delete the now-unused common_get_active_user_by_email.
2017-11-21 21:42:21 +01:00
user_profile = common_get_active_user(username, realm, return_data=return_data)
auth: Move checks for password_auth_enabled earlier. This way, we don't attempt to evaluate whether the user's account is active (etc.) until after we've checked the backend is enabled. This won't change the result of actual auth, but feels more readable.
2017-11-21 21:39:56 +01:00
if user_profile is None:
return None
CVE-2016-4427: Fix access by deactivated realms/users. The security model for deactivated users (and users in deactivated realms) being unable to access the service is intended to work via two mechanisms: * All active user sessions are deleted, and all login code paths (where a user could get a new session) check whether the user (or realm) is inactive before authorizing the request, preventing the user from accessing the website and AJAX endpoints. * All API code paths (which don't require a session) check whether the user (and realm) are active. However, this security model was not implemented correctly. In particular, the check for whether a user has an active account in the login process was done inside the login form's validators, which meant that authentication mechanisms that did not use the login form (e.g. Google and REMOTE_USER auth) could succeed in granting a session even with an inactive account. The Zulip homepage would still fail to load because the code for / includes an API call to Tornado authorized by the user's token that would fail, but this mechanism could allow an inactive user to access realm data or users to access data in a deactivated realm. This fixes the issue by adding explicit checks for inactive users and inactive realms in all authentication backends (even those that were already protected by the login form validator). Mirror dummy users are already inactive, so we can remove the explicit code around mirror dummy users. The following commits add a complete set of tests for Zulip's inactive user and realm security model.
2016-04-21 07:19:08 +02:00
if user_profile.check_password(password):
return user_profile
Add option for hosting each realm on its own subdomain. This adds support for running a Zulip production server with each realm on its own unique subdomain, e.g. https://realm_name.example.com. This patch includes a ton of important features: * Configuring the Zulip sesion middleware to issue cookier correctly for the subdomains case. * Throwing an error if the user tries to visit an invalid subdomain. * Runs a portion of the Casper tests with REALMS_HAVE_SUBDOMAINS enabled to test the subdomain signup process. * Updating our integrations documentation to refer to the current subdomain. * Enforces that users can only login to the subdomain of their realm (but does not restrict the API; that will be tightened in a future commit). Note that toggling settings.REALMS_HAVE_SUBDOMAINS on a live server is not supported without manual intervention (the main problem will be adding "subdomain" values for all the existing realms). [substantially modified by tabbott as part of merging]
2016-07-19 14:35:08 +02:00
return None
Rename Django project to zproject. This includes a hack to preserve humbug/backends.py as a symlink, so that we don't need to regenerate all our old sessions. (imported from commit b7918988b31c71ec01bbdc270db7017d4069221d)
2013-08-06 22:51:47 +02:00
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
class GoogleMobileOauth2Backend(ZulipAuthMixin):
"""
auth: Clarify comments explaining the GoogleMobileOauth2Backend.
2017-11-21 21:29:09 +01:00
Google Apps authentication for the legacy Android app.
DummyAuthBackend is what's actually used for our modern Google auth,
both for web and mobile (the latter via the mobile_flow_otp feature).
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
Allows a user to sign in using a Google-issued OAuth2 token.
Ref:
https://developers.google.com/+/mobile/android/sign-in#server-side_access_for_your_app
https://developers.google.com/accounts/docs/CrossClientAuth#offlineAccess
"""
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
auth: Convert GoogleMobileOAuth2Backend to accept a realm object.
2017-11-21 21:23:07 +01:00
def authenticate(self, google_oauth2_token: str=None, realm: Optional[Realm]=None,
backends: Convert authenticate methods to modern type annotations.
2017-11-21 20:47:26 +01:00
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
auth: Convert GoogleMobileOAuth2Backend to accept a realm object.
2017-11-21 21:23:07 +01:00
if realm is None:
return None
backends.py: Don't pass mutable default arguments. Values of mutable default arguments are shared across all function invocations. See https://pythonconquerstheuniverse.wordpress.com/2012/02/15/mutable-default-arguments/ for further details.
2017-03-24 08:45:21 +01:00
if return_data is None:
return_data = {}
auth: Check for GoogleMobileOauth2Backend being enabled earlier.
2017-11-21 21:23:41 +01:00
if not google_auth_enabled(realm=realm):
return_data["google_auth_disabled"] = True
return None
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
try:
token_payload = googleapiclient.verify_id_token(google_oauth2_token, settings.GOOGLE_CLIENT_ID)
except AppIdentityError:
return None
auth: Invert conditionals in GoogleMobileOAuth2Backend. This will help make the flow more readable.
2017-11-21 21:25:58 +01:00
if token_payload["email_verified"] not in (True, "true"):
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
return_data["valid_attestation"] = False
Fix several new errors caught by mypy 0.501. Clear out a bunch of easy to review errors, so we can focus on the more complicated ones.
2017-03-03 20:30:49 +01:00
return None
[manual] Accept OAuth2 tokens for API login via Google Apps This is used by the Android app to authenticate without prompting for a password. To do so, we implement a custom authentication backend that validates the ID token provided by Google and then tries to see if we have a corresponding UserProfile on file for them. If the attestation is valid but the user is unregistered, we return that fact by modifying a dictionary passed in as a parameter. We then return the appropriate error message via the API. This commit adds a dependency on the "googleapi" module. On Debian-based systems with the Zulip APT repository: sudo apt-get install python-googleapi For OS X and other platforms: pip install googleapi (imported from commit dbda4e657e5228f081c39af95f956bd32dd20139)
2014-01-10 23:48:05 +01:00
auth: Invert conditionals in GoogleMobileOAuth2Backend. This will help make the flow more readable.
2017-11-21 21:25:58 +01:00
return_data["valid_attestation"] = True
auth: Convert GoogleMobileOauth2Backend to use new helper. That logic was now just duplicate code.
2017-11-21 21:26:41 +01:00
return common_get_active_user(token_payload["email"], realm, return_data)
auth: Invert conditionals in GoogleMobileOAuth2Backend. This will help make the flow more readable.
2017-11-21 21:25:58 +01:00
SSO / REMOTE_USER support (imported from commit 4f4fad7af5d3c6099cac95d7708338c182626d72)
2013-11-04 23:16:46 +01:00
class ZulipRemoteUserBackend(RemoteUserBackend):
create_unknown_user = False
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
auth: Add return_data for RemoteUserBackend. This is done mainly because this backend has the simplest code path for calling login_or_register_remote_user, more than because we expect this case to come up. It'll make it easier to write unit tests for the `invalid_subdomain` corner case.
2018-04-22 23:20:58 +02:00
def authenticate(self, remote_user: Optional[str], realm: Optional[Realm]=None,
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
auth: Remove unnecessary remote_user=None code path. This code path was only required because we had remote_user set as a positional argument here, and thus we'd be running this auth backend's code when actually using another auth backend (due to how Django auth backends are selected based on argument signature).
2017-11-21 21:00:37 +01:00
assert remote_user is not None
auth: Convert RemoteUserBackend to accept a realm object.
2017-11-17 23:14:08 +01:00
if realm is None:
return None
auth: Check for RemoteUserBackend being enabled earlier. This is possible now that we have a realm object before fetching the UserProfile object.
2017-11-21 21:04:04 +01:00
if not auth_enabled_helper(["RemoteUser"], realm):
return None
SSO / REMOTE_USER support (imported from commit 4f4fad7af5d3c6099cac95d7708338c182626d72)
2013-11-04 23:16:46 +01:00
email = remote_user_to_email(remote_user)
auth: Add return_data for RemoteUserBackend. This is done mainly because this backend has the simplest code path for calling login_or_register_remote_user, more than because we expect this case to come up. It'll make it easier to write unit tests for the `invalid_subdomain` corner case.
2018-04-22 23:20:58 +02:00
return common_get_active_user(email, realm, return_data=return_data)
Fix ZulipRemoteUserBackend for activating mirror dummies. If you're using e.g. our Jabber<=>Zulip mirroring capability along with the RemoteUser SSO integration, previously it would fail if a user with a corresponding dummy user tried to login/signup (since they didn't have an account but one wouldn't be created because ZulipRemoteUserBackend was reporting that an account already existed). (imported from commit 006eaa9afa8feedddd860c2bef41e604285228a7)
2015-02-06 18:30:28 +01:00
user_settings: Prevent LDAP users from setting a Zulip password. Previously, if both EmailAuthBackend and LDAPAuthBackend were enabled, LDAP users could set a password using EmailAuthBackend and continue to use that password, even if their LDAP account was later deactivated. That configuration wasn't supported at all before, so this doesn't fix a pre-existing security issue, but now that we're making that a valid configuration, we need to cover this case.
2018-05-29 07:25:08 +02:00
def email_belongs_to_ldap(realm: Realm, email: str) -> bool:
if not ldap_auth_enabled(realm):
return False
# If we don't have an LDAP domain, it's impossible to tell which
# accounts are LDAP accounts, so treat all of them as LDAP
# accounts
if not settings.LDAP_APPEND_DOMAIN:
return True
# Otherwise, check if the email ends with LDAP_APPEND_DOMAIN
return email.strip().lower().endswith("@" + settings.LDAP_APPEND_DOMAIN)
ldap auth: Reassure django_auth_ldap our auth-failed exceptions are normal. The main `authenticate` method in the django_auth_ldap package logs a message at `exception` level if it passes through an exception it wasn't expecting. Sensible practice, but we'd been passing through just such an exception for any kind of routine authentication failure. After we recently stopped suppressing an arbitrary subset of loggers with `disable_existing_loggers`, these started showing up noisily, including in tests. So, make our exceptions expected. Just like our own code, the upstream code raises exceptions of a particular type for routine auth failures, and catches them and just returns None. We make our type derive from that one, so as to just piggyback on that behavior. Fixes an issue reported in a comment to #6674.
2017-09-27 00:56:34 +02:00
class ZulipLDAPException(_LDAPUser.AuthenticationFailed):
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
pass
auth: Improve interactions between LDAPAuthBackend and EmailAuthBackend. Previously, if you had LDAPAuthBackend enabled, we basically blocked any other auth backends from working at all, by requiring the user's login flow include verifying the user's LDAP password. We still want to enforce that in the case that the account email matches LDAP_APPEND_DOMAIN, but there's a reasonable corner case: Having effectively guest users from outside the LDAP domain. We don't want to allow creating a Zulip-level password for a user inside the LDAP domain, so we still verify the LDAP password in that flow, but if the email is allowed to register (due to invite or whatever) but is outside the LDAP domain for the organization, we allow it to create an account and set a password. For the moment, this solution only covers EmailAuthBackend. It's likely that just extending the list of other backends we check for in the new conditional on `email_auth_backend` would be correct, but we haven't done any testing for those cases, and with auth code paths, it's better to disallow than allow untested code paths. Fixes #9422.
2018-05-29 06:52:06 +02:00
class ZulipLDAPExceptionOutsideDomain(ZulipLDAPException):
pass
ldap: Show helpful message when realm is None.
2017-09-22 10:58:12 +02:00
class ZulipLDAPConfigurationError(Exception):
pass
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
class ZulipLDAPAuthBackendBase(ZulipAuthMixin, LDAPBackend):
# Don't use Django LDAP's permissions functions
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def has_perm(self, user: Optional[UserProfile], perm: Any, obj: Any=None) -> bool:
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# Using Any type is safe because we are not doing anything with
# the arguments.
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
return False
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def has_module_perms(self, user: Optional[UserProfile], app_label: Optional[str]) -> bool:
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
return False
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def get_all_permissions(self, user: Optional[UserProfile], obj: Any=None) -> Set[Any]:
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# Using Any type is safe because we are not doing anything with
mypy: Explicitly return Set[Any] for empty set in backends.py.
2017-11-02 06:36:10 +01:00
# the arguments and always return empty set.
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
return set()
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def get_group_permissions(self, user: Optional[UserProfile], obj: Any=None) -> Set[Any]:
Annotate zproject/backends.py.
2016-08-08 09:38:50 +02:00
# Using Any type is safe because we are not doing anything with
mypy: Explicitly return Set[Any] for empty set in backends.py.
2017-11-02 06:36:10 +01:00
# the arguments and always return empty set.
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
return set()
zproject: Change use of typing.Text to str.
2018-05-10 18:53:55 +02:00
def django_to_ldap_username(self, username: str) -> str:
Improve LDAP_APPEND_DOMAIN default. The documentation suggests the default is None; this change makes that true. Also make the actual code robust to this being set to "" instead.
2015-10-13 22:57:38 +02:00
if settings.LDAP_APPEND_DOMAIN:
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
if not username.endswith("@" + settings.LDAP_APPEND_DOMAIN):
auth: Improve interactions between LDAPAuthBackend and EmailAuthBackend. Previously, if you had LDAPAuthBackend enabled, we basically blocked any other auth backends from working at all, by requiring the user's login flow include verifying the user's LDAP password. We still want to enforce that in the case that the account email matches LDAP_APPEND_DOMAIN, but there's a reasonable corner case: Having effectively guest users from outside the LDAP domain. We don't want to allow creating a Zulip-level password for a user inside the LDAP domain, so we still verify the LDAP password in that flow, but if the email is allowed to register (due to invite or whatever) but is outside the LDAP domain for the organization, we allow it to create an account and set a password. For the moment, this solution only covers EmailAuthBackend. It's likely that just extending the list of other backends we check for in the new conditional on `email_auth_backend` would be correct, but we haven't done any testing for those cases, and with auth code paths, it's better to disallow than allow untested code paths. Fixes #9422.
2018-05-29 06:52:06 +02:00
raise ZulipLDAPExceptionOutsideDomain("Username does not match LDAP domain.")
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
return email_to_username(username)
return username
pep8: Fix E301 pep8 violations. Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 07:22:02 +01:00
zproject: Use Python 3 syntax for typing.
2017-11-27 14:35:36 +01:00
def ldap_to_django_username(self, username: str) -> str:
Improve LDAP_APPEND_DOMAIN default. The documentation suggests the default is None; this change makes that true. Also make the actual code robust to this being set to "" instead.
2015-10-13 22:57:38 +02:00
if settings.LDAP_APPEND_DOMAIN:
Correctly concatenate local part with domain in LDAP backend. (imported from commit 951123e2e0ed52a11dc8b5ce3aeff2c1d4f5e816)
2013-11-25 17:57:30 +01:00
return "@".join((username, settings.LDAP_APPEND_DOMAIN))
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
return username
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):
ldap: Show helpful message when realm is None.
2017-09-22 10:58:12 +02:00
REALM_IS_NONE_ERROR = 1
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
def authenticate(self, username: str, password: str, realm: Optional[Realm]=None,
backends: Convert authenticate methods to modern type annotations.
2017-11-21 20:47:26 +01:00
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
if realm is None:
return None
self._realm = realm
auth: Move LDAP check for whether backend is enabled earlier. The previous logic felt fairly convoluted.
2017-11-21 21:45:32 +01:00
if not ldap_auth_enabled(realm):
return None
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
try:
username = self.django_to_ldap_username(username)
ldap: Use new helper for checking realm status. We intentionally don't fix the indentation that now feels ridiculous below in order to make it easier to see what's actually changing in this commit.
2017-11-21 21:52:34 +01:00
return ZulipLDAPAuthBackendBase.authenticate(self,
username=username,
password=password)
auth: Improve interactions between LDAPAuthBackend and EmailAuthBackend. Previously, if you had LDAPAuthBackend enabled, we basically blocked any other auth backends from working at all, by requiring the user's login flow include verifying the user's LDAP password. We still want to enforce that in the case that the account email matches LDAP_APPEND_DOMAIN, but there's a reasonable corner case: Having effectively guest users from outside the LDAP domain. We don't want to allow creating a Zulip-level password for a user inside the LDAP domain, so we still verify the LDAP password in that flow, but if the email is allowed to register (due to invite or whatever) but is outside the LDAP domain for the organization, we allow it to create an account and set a password. For the moment, this solution only covers EmailAuthBackend. It's likely that just extending the list of other backends we check for in the new conditional on `email_auth_backend` would be correct, but we haven't done any testing for those cases, and with auth code paths, it's better to disallow than allow untested code paths. Fixes #9422.
2018-05-29 06:52:06 +02:00
except ZulipLDAPException as e:
if isinstance(e, ZulipLDAPExceptionOutsideDomain):
return_data['outside_ldap_domain'] = True
return None
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
ldap: Make Zulip compatible with django-auth-ldap==1.5. In version 1.5, get_or_create_user method is not used. It exists just for the compatibility. The main function to use now is get_or_build_user. See the changelog: https://django-auth-ldap.readthedocs.io/en/latest/changes.html#id1 Fixes #9307
2018-05-22 08:33:56 +02:00
def get_or_build_user(self, username: str, ldap_user: _LDAPUser) -> Tuple[UserProfile, bool]:
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
ldap: Shrink unnecessary scope of missing user block. This is a pure refactor, and will help simplify the change in the next commit.
2017-11-21 21:48:55 +01:00
if settings.LDAP_EMAIL_ATTR is not None:
# Get email from ldap attributes.
if settings.LDAP_EMAIL_ATTR not in ldap_user.attrs:
raise ZulipLDAPException("LDAP user doesn't have the needed %s attribute" % (
settings.LDAP_EMAIL_ATTR,))
username = ldap_user.attrs[settings.LDAP_EMAIL_ATTR][0]
backends.py: Enable auth with any ldap attributes as username. This commit enables user to authenticate with any attribute set in AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email attributes in the ldap server. Thus email and username can be completely unrelated. With some tweaks by tabbott to squash in the documentation and make it work on older servers.
2017-09-10 17:25:24 +02:00
ldap: Use new helper for checking realm status. We intentionally don't fix the indentation that now feels ridiculous below in order to make it easier to see what's actually changing in this commit.
2017-11-21 21:52:34 +01:00
return_data = {} # type: Dict[str, Any]
user_profile = common_get_active_user(username, self._realm, return_data)
ldap: Use simpler ordering for handling successful auth. common_get_active_user returns None if it finds any problems.
2017-11-21 21:57:23 +01:00
if user_profile is not None:
# An existing user, successfully authed; return it.
return user_profile, False
ldap: Use new helper for checking realm status. We intentionally don't fix the indentation that now feels ridiculous below in order to make it easier to see what's actually changing in this commit.
2017-11-21 21:52:34 +01:00
if return_data.get("inactive_realm"):
ldap: Simplify logic for user creation. self._realm can't be None here with the new logic in authenticate().
2017-11-18 01:13:35 +01:00
# This happens if there is a user account in a deactivated realm
ldap: Use new helper for checking realm status. We intentionally don't fix the indentation that now feels ridiculous below in order to make it easier to see what's actually changing in this commit.
2017-11-21 21:52:34 +01:00
raise ZulipLDAPException("Realm has been deactivated")
if return_data.get("inactive_user"):
ldap: Fix the error message for deactivated users.
2017-11-18 01:07:20 +01:00
raise ZulipLDAPException("User has been deactivated")
ldap: Use new helper for checking realm status. We intentionally don't fix the indentation that now feels ridiculous below in order to make it easier to see what's actually changing in this commit.
2017-11-21 21:52:34 +01:00
if return_data.get("invalid_subdomain"):
# TODO: Implement something in the caller for this to
# provide a nice user-facing error message for this
# situation (right now it just acts like any other auth
# failure).
raise ZulipLDAPException("Wrong subdomain")
ldap: Remove some unnecessary indentation. We created this redundant pair of conditionals in a preceding commit, in order to match the indentation of an `except` block so as to slice the diffs extra finely as we're refactoring auth code.
2017-11-18 01:12:05 +01:00
if self._realm.deactivated:
ldap: Simplify logic for user creation. self._realm can't be None here with the new logic in authenticate().
2017-11-18 01:13:35 +01:00
# This happens if no account exists, but the realm is
# deactivated, so we shouldn't create a new user account
ldap: Remove some unnecessary indentation. We created this redundant pair of conditionals in a preceding commit, in order to match the indentation of an `except` block so as to slice the diffs extra finely as we're refactoring auth code.
2017-11-18 01:12:05 +01:00
raise ZulipLDAPException("Realm has been deactivated")
ldap: Simplify logic for user creation. self._realm can't be None here with the new logic in authenticate().
2017-11-18 01:13:35 +01:00
# We have valid LDAP credentials; time to create an account.
ldap: Remove some unnecessary indentation. We created this redundant pair of conditionals in a preceding commit, in order to match the indentation of an `except` block so as to slice the diffs extra finely as we're refactoring auth code.
2017-11-18 01:12:05 +01:00
full_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["full_name"]
short_name = full_name = ldap_user.attrs[full_name_attr][0]
try:
full_name = check_full_name(full_name)
except JsonableError as e:
raise ZulipLDAPException(e.msg)
if "short_name" in settings.AUTH_LDAP_USER_ATTR_MAP:
short_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["short_name"]
short_name = ldap_user.attrs[short_name_attr][0]
user_profile = do_create_user(username, None, self._realm, full_name, short_name)
return user_profile, True
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
Fix support for LDAP Authentication mechanism. This addresses a few issues: * The LDAP authentication integration now creates an account a new Zulip account if the user authenticated correctly but didn't have a Zulip account. * The previous code didn't correctly disable the LDAP group permissions functionality. We're not using groups support from the Django LDAP extension and not doing so can cause errors trying to fetch data from LDAP. Huge thanks to @toaomatis for the initial implementation of this. Fixes #72.
2015-10-13 23:08:05 +02:00
# Just like ZulipLDAPAuthBackend, but doesn't let you log in.
class ZulipLDAPUserPopulator(ZulipLDAPAuthBackendBase):
Convert EmailAuthBackend and LDAPAuthBackend to accept a realm.
2017-11-17 23:56:45 +01:00
def authenticate(self, username: str, password: str, realm: Optional[Realm]=None,
backends: Convert authenticate methods to modern type annotations.
2017-11-21 20:47:26 +01:00
return_data: Optional[Dict[str, Any]]=None) -> None:
[manual] Support authentication and profile prefilling via LDAP The latter doesn't depend on the former; we can still fill in your full name even if you didn't authenticate via LDAP. This commit requires django_auth_ldap to be installed. On Debian systems, you can do so via APT: sudo apt-get install python-django-auth-ldap On OS X, use your favourite package manager. For pip, I believe this will work: pip install django_auth_ldap django_auth_ldap depends on the "ldap" Python package, which should be installed automatically on your system. (imported from commit 43967754285990b06b5a920abe95b8bce44e2053)
2013-11-21 01:30:20 +01:00
return None
Add a new dev login page for logging in without a password on the dev VM. (imported from commit ac8f2504771c9907b7e92dc91cec5f7220ce951b)
2015-08-19 02:58:20 +02:00
class DevAuthBackend(ZulipAuthMixin):
# Allow logging in as any user without a password.
# This is used for convenience when developing Zulip.
auth: Convert DevAuthBackend to accept a realm object.
2017-11-21 21:19:20 +01:00
def authenticate(self, dev_auth_username: Optional[str]=None, realm: Optional[Realm]=None,
backends: Convert authenticate methods to modern type annotations.
2017-11-21 20:47:26 +01:00
return_data: Optional[Dict[str, Any]]=None) -> Optional[UserProfile]:
auth: Convert DevAuthBackend to use a unique argument pattern. This helps ensure that we won't accidentally activate this backend on other code paths.
2017-11-21 21:13:46 +01:00
assert dev_auth_username is not None
auth: Convert DevAuthBackend to accept a realm object.
2017-11-21 21:19:20 +01:00
if realm is None:
return None
auth: Check for DevAuthBackend being enabled earlier.
2017-11-21 21:19:58 +01:00
if not dev_auth_enabled(realm):
return None
auth: Convert DevAuthBackend to use new helper.
2017-11-21 21:20:44 +01:00
return common_get_active_user(dev_auth_username, realm, return_data=return_data)
Add GitHub authentication. Fixes: #1042
2016-07-20 13:33:27 +02:00
Rename GitHubBackend to GitHubAuthBackend for consistency.
2016-07-29 21:47:14 +02:00
class GitHubAuthBackend(SocialAuthMixin, GithubOAuth2):
zproject: Remove u prefix from strings.
2017-11-02 08:05:56 +01:00
auth_backend_name = "GitHub"
auth: Reject authentication if auth backends are disabled.
2016-11-07 00:09:21 +01:00
zproject: Change use of typing.Text to str.
2018-05-10 18:53:55 +02:00
def get_email_address(self, *args: Any, **kwargs: Any) -> Optional[str]:
Add GitHub authentication. Fixes: #1042
2016-07-20 13:33:27 +02:00
try:
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
return kwargs['response']['email']
subdomains: Hardcode REALMS_HAVE_SUBDOMAINS=True.
2017-10-02 08:32:09 +02:00
except KeyError: # nocoverage # TODO: investigate
Add GitHub authentication. Fixes: #1042
2016-07-20 13:33:27 +02:00
return None
zproject: Change use of typing.Text to str.
2018-05-10 18:53:55 +02:00
def get_full_name(self, *args: Any, **kwargs: Any) -> str:
github: Return '' when name is None.
2017-03-09 09:45:21 +01:00
# In case of any error return an empty string. Name is used by
# the registration page to pre-populate the name field. However,
# if it is not supplied, our registration process will make sure
# that the user enters a valid name.
Add GitHub authentication. Fixes: #1042
2016-07-20 13:33:27 +02:00
try:
github: Return '' when name is None.
2017-03-09 09:45:21 +01:00
name = kwargs['response']['name']
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
except KeyError:
github: Return '' when name is None.
2017-03-09 09:45:21 +01:00
name = ''
if name is None:
Create SocialAuthMixin generic class around GitHub auth backend. This will simplify the process of adding new social authentication backends to Zulip.
2016-07-26 12:12:01 +02:00
return ''
Add GitHub authentication. Fixes: #1042
2016-07-20 13:33:27 +02:00
github: Return '' when name is None.
2017-03-09 09:45:21 +01:00
return name
github: Override get_authenticated_user. Now we have moved the `do_auth` function to `SocialAuthMixin`. Instead of overriding `do_auth`, derived class is now expected to override `get_authenticated_user`. `do_auth` now contains code which is expected by all backends.
2017-11-17 07:53:52 +01:00
def get_authenticated_user(self, *args: Any, **kwargs: Any) -> Optional[UserProfile]:
github: Add docstrings to functions. Docstring added to: * auth_complete * do_auth
2017-03-23 05:46:10 +01:00
"""
This function is called once the OAuth2 workflow is complete. We
github: Override get_authenticated_user. Now we have moved the `do_auth` function to `SocialAuthMixin`. Instead of overriding `do_auth`, derived class is now expected to override `get_authenticated_user`. `do_auth` now contains code which is expected by all backends.
2017-11-17 07:53:52 +01:00
override this function to call the proper `do_auth` function depending
on whether we are doing individual, team or organization based GitHub
authentication. The actual decision on authentication is done in
github: Pass proper parameters to authenticate. Django tries to authenticate against all backends one by one. The authenticate() function of GitHub backend used to take *args and **kwargs arguments due to which it could be called against any set of arguments. Django uses arguments to differentiate authenticate() methods.
2017-03-24 10:48:52 +01:00
SocialAuthMixin._common_authenticate().
github: Add docstrings to functions. Docstring added to: * auth_complete * do_auth
2017-03-23 05:46:10 +01:00
"""
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
user_profile = None
team_id = settings.SOCIAL_AUTH_GITHUB_TEAM_ID
org_name = settings.SOCIAL_AUTH_GITHUB_ORG_NAME
if (team_id is None and org_name is None):
backend: Handle GitHub authentication failure. In case of AuthFailed exception return None.
2017-02-28 11:58:03 +01:00
try:
user_profile = GithubOAuth2.do_auth(self, *args, **kwargs)
except AuthFailed:
logging.info("User authentication failed.")
user_profile = None
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
elif (team_id):
backend = GithubTeamOAuth2(self.strategy, self.redirect_uri)
try:
user_profile = backend.do_auth(*args, **kwargs)
except AuthFailed:
backends: Fix some slightly confusing error messages.
2017-01-12 03:08:29 +01:00
logging.info("User is not member of GitHub team.")
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
user_profile = None
elif (org_name):
backend = GithubOrganizationOAuth2(self.strategy, self.redirect_uri)
try:
user_profile = backend.do_auth(*args, **kwargs)
except AuthFailed:
backends: Fix some slightly confusing error messages.
2017-01-12 03:08:29 +01:00
logging.info("User is not member of GitHub organization.")
Add GitHub team and organisation authentication. Fixes: #1473
2016-08-01 13:06:35 +02:00
user_profile = None
github: Override get_authenticated_user. Now we have moved the `do_auth` function to `SocialAuthMixin`. Instead of overriding `do_auth`, derived class is now expected to override `get_authenticated_user`. `do_auth` now contains code which is expected by all backends.
2017-11-17 07:53:52 +01:00
return user_profile
auth: Refactor auth backend enabled checking code.
2016-11-06 23:44:45 +01:00
AUTH_BACKEND_NAME_MAP = {
zproject: Remove u prefix from strings.
2017-11-02 08:05:56 +01:00
'Dev': DevAuthBackend,
'Email': EmailAuthBackend,
'GitHub': GitHubAuthBackend,
'Google': GoogleMobileOauth2Backend,
'LDAP': ZulipLDAPAuthBackend,
'RemoteUser': ZulipRemoteUserBackend,
zproject: Change use of typing.Text to str.
2018-05-10 18:53:55 +02:00
} # type: Dict[str, Any]