Commit Graph

192 Commits

Author SHA1 Message Date
Tim Abbott 1c9a28d0d8 ldap: Use simpler ordering for handling successful auth.
common_get_active_user returns None if it finds any problems.
2017-11-21 19:08:45 -08:00
Tim Abbott e0b56c72de ldap: Simplify logic for user creation.
self._realm can't be None here with the new logic in authenticate().
2017-11-21 19:08:45 -08:00
Tim Abbott e91051b1cd ldap: Remove some unnecessary indentation.
We created this redundant pair of conditionals in a preceding commit,
in order to match the indentation of an `except` block so as to slice
the diffs extra finely as we're refactoring auth code.
2017-11-21 19:06:19 -08:00
Tim Abbott c4c8879cf7 ldap: Fix the error message for deactivated users. 2017-11-21 18:35:05 -08:00
Tim Abbott 97f1c2a72a ldap: Use new helper for checking realm status.
We intentionally don't fix the indentation that now feels ridiculous
below in order to make it easier to see what's actually changing in
this commit.
2017-11-21 18:35:04 -08:00
Tim Abbott 104a8de148 ldap: Shrink unnecessary scope of missing user block.
This is a pure refactor, and will help simplify the change in the next
commit.
2017-11-21 18:30:51 -08:00
Tim Abbott e100935527 auth: Move LDAP check for whether backend is enabled earlier.
The previous logic felt fairly convoluted.
2017-11-21 18:30:51 -08:00
Tim Abbott 195a78ad11 auth: Convert EmailAuthBackend to use new helper.
This lets us delete some duplicate code, since common_get_active_user
handles an account in the wrong subdomain for us.

Also lets us delete the now-unused common_get_active_user_by_email.
2017-11-21 18:30:51 -08:00
Tim Abbott 8c21619be8 auth: Move checks for password_auth_enabled earlier.
This way, we don't attempt to evaluate whether the user's account is
active (etc.) until after we've checked the backend is enabled.  This
won't change the result of actual auth, but feels more readable.
2017-11-21 18:30:29 -08:00
Tim Abbott 3bfb19b5f3 Convert EmailAuthBackend and LDAPAuthBackend to accept a realm. 2017-11-21 18:23:50 -08:00
Tim Abbott 53224a16a9 EmailAuthBackend: Convert a return to assert for a now-impossible case. 2017-11-21 18:23:50 -08:00
Tim Abbott 1b95b098dd auth: Clarify comments explaining the GoogleMobileOauth2Backend. 2017-11-21 18:23:50 -08:00
Tim Abbott 23d791ca1b auth: Convert GoogleMobileOauth2Backend to use new helper.
That logic was now just duplicate code.
2017-11-21 18:23:49 -08:00
Tim Abbott caddef9279 auth: Invert conditionals in GoogleMobileOAuth2Backend.
This will help make the flow more readable.
2017-11-21 18:23:49 -08:00
Tim Abbott fee2e36800 auth: Set valid_attestation for Google auth backend always.
This is a behavior change, though we don't check the value in the
caller regardless.  It just seems more logical for us to correctly
report to the caller whether the Google auth itself was valid
unconditionally.
2017-11-21 18:23:49 -08:00
Tim Abbott 3c15f442fe auth: Check for GoogleMobileOauth2Backend being enabled earlier. 2017-11-21 18:23:49 -08:00
Tim Abbott a7d51127fb auth: Convert GoogleMobileOAuth2Backend to accept a realm object. 2017-11-21 18:23:49 -08:00
Tim Abbott 37acfb4e90 auth: Convert DevAuthBackend to use new helper. 2017-11-21 18:23:49 -08:00
Tim Abbott fa8eab303a auth: Check for DevAuthBackend being enabled earlier. 2017-11-21 18:23:49 -08:00
Tim Abbott 07bc31f818 auth: Convert DevAuthBackend to accept a realm object. 2017-11-21 18:23:49 -08:00
Tim Abbott 4968631d1b auth: Convert DevAuthBackend to use a unique argument pattern.
This helps ensure that we won't accidentally activate this backend on
other code paths.
2017-11-21 18:23:49 -08:00
Tim Abbott f2d3258a56 auth: Rewrite RemoteUserBackend to use new helper. 2017-11-21 18:23:49 -08:00
Tim Abbott 73df431b88 auth: Check for RemoteUserBackend being enabled earlier.
This is possible now that we have a realm object before fetching the
UserProfile object.
2017-11-21 18:23:49 -08:00
Tim Abbott d63e9f240c auth: Remove unnecessary remote_user=None code path.
This code path was only required because we had remote_user set as a
positional argument here, and thus we'd be running this auth backend's
code when actually using another auth backend (due to how Django auth
backends are selected based on argument signature).
2017-11-21 18:23:49 -08:00
Tim Abbott 387c9109ec auth: Convert RemoteUserBackend to accept a realm object. 2017-11-21 18:23:49 -08:00
Tim Abbott fb6abe1b1e auth: Rewrite DummyAuthBackend to not block email reuse.
This require some care to ensure we still provide the same nice error
messages for the case of a user who has an account, just not with this
organization.

Also, we fix the fact that the docstring was (and I think always has
been) at best confusing and perhaps even inaccurate.
2017-11-21 18:23:26 -08:00
Tim Abbott f17974ab32 DummyAuthBackend: Require being passed a realm object.
We should now always know the realm in our auth code paths.
2017-11-21 18:22:37 -08:00
Tim Abbott 089ff8a0ae backends: Convert authenticate methods to modern type annotations. 2017-11-21 11:47:26 -08:00
Umair Khan 1e3aa55f4f github: Override get_authenticated_user.
Now we have moved the `do_auth` function to `SocialAuthMixin`. Instead
of overriding `do_auth`, derived class is now expected to override
`get_authenticated_user`.

`do_auth` now contains code which is expected by all backends.
2017-11-17 11:44:13 -08:00
rht 047eca1629 zproject: Remove unused imports (F401). 2017-11-07 16:37:03 -08:00
rht e33c8d91e0 zproject: Remove inheritance from object. 2017-11-06 08:53:48 -08:00
neiljp (Neil Pilgrim) 1197ff9655 mypy: Explicitly return Set[Any] for empty set in backends.py. 2017-11-04 19:47:45 -07:00
rht 38acddee99 zproject: Remove u prefix from strings. 2017-11-02 11:01:47 -07:00
rht c4fcff7178 refactor: Replace super(.*self) with Python 3-specific super().
We change all the instances except for the `test_helpers.py`
TimeTrackingCursor monkey-patching, which actually needs to specify
the base class.
2017-10-30 14:30:25 -07:00
Greg Price fad3d56810 views: Move some login code from `registration` to `auth`.
Most of these have more to do with authentication in general than with
registering a new account.  `create_preregistration_user` could go
either way; we move it to `auth` so we can make the imports go only in
one direction.
2017-10-27 14:28:38 -07:00
Tim Abbott 8e2cdedf9a lint: Fix lines in Python codebase longer than 120 characters. 2017-10-26 17:47:30 -07:00
Greg Price 30cc2994de social auth: Replace a bit of explicit model-querying with get_realm. 2017-10-26 10:29:17 -07:00
Greg Price 27adbe8d79 subdomains: Clean up a use of various falsy values for the root domain.
This isn't a complete cleanup of the logic at this spot, but
at least the messy part that remains is now explicit.
2017-10-26 10:29:17 -07:00
Greg Price c9457d4af0 subdomains: Refactor check_subdomain to a clearer interface.
Now that every call site of check_subdomain produces its second
argument in exactly the same way, push that shared bit of logic
into a new wrapper for check_subdomain.

Also give that new function a name that says more specifically what
it's checking -- which I think is easier to articulate for this
interface than for that of check_subdomain.
2017-10-26 10:29:17 -07:00
Vishnu Ks 9314a7ac8b backends: Move EmailLogBackEnd to email_backends. 2017-10-25 14:35:12 -07:00
Vishnu Ks 1d94119d31 actions: Call send_initial_pms from process_new_human_user. 2017-10-25 14:14:59 -07:00
Tim Abbott 70d509196d backends: Call send_initial_pms on other user creation paths.
This fixes a problem we've seen where LDAP users were not getting this
part of the onboarding process, and a similar problem for human users
created via the API.

Ideally, we would have put these fixes in process_new_human_user, but
that would cause import loop problems.
2017-10-24 09:03:53 -07:00
Tim Abbott 716c525389 backends: Sort imports. 2017-10-24 08:59:39 -07:00
Tim Abbott 1ab2ca5986 subdomains: Extract zerver.lib.subdomains library.
These never really belonged with the rest of zerver.lib.utils.py, and
having a separate library makes it easier to enforce full test
coverage.
2017-10-18 22:27:48 -07:00
Umair Khan a48a86237d ldap: Change logging level to warning.
Fixes #6960.
2017-10-13 17:13:18 -07:00
Umair Khan 490515aea6 cleanup: Fix comment in SocialAuthMixin.auth_complete. 2017-10-13 17:13:18 -07:00
Vishnu Ks eef72a98e4 backends: Create custom email backend EmailLogBackEnd.
Create a new custom email backend which would automatically
logs the emails that are send in the dev environment as
well as print a friendly message in console to visit /emails
for accessing all the emails that are sent in dev environment.
Since django.core.mail.backends.console.EmailBackend is no longer
userd emails would not be printed to the console anymore.
2017-10-04 08:20:29 -07:00
Umair Khan 4ed182ef44 django-auth-ldap: Upgrade to 1.2.15.
In 1.2.15 version of django-auth-ldap, the authenticate() function of
LDAPBackend takes username and password as keyword arguments. This
commit updates the code to match this change.

Fixes #6588
2017-10-03 11:40:26 -07:00
Tim Abbott 1d72629dc4 subdomains: Hardcode REALMS_HAVE_SUBDOMAINS=True. 2017-10-02 16:42:43 -07:00
Umair Khan 69ccc8ce0e ldap: Show helpful message when realm is None. 2017-09-30 10:18:25 -07:00
Tim Abbott 63bbbba5aa backend: Add support for mobile_flow_otp in social auth.
It turns out that very little code change is required to support
GitHub auth on mobile.  Ideally, this would come with tests, though
the complicated part of the code path is covered by the Google auth
version.  But writing a test for this would take a long time, and I
think it's worth having the feature now, so I'll be doing tests as a
follow-up project.
2017-09-30 09:02:46 -07:00
Greg Price f129dc4f72 LDAP: Restore an except clause and add test to cover it.
Most of the paths leading through this except clause were cut in
73e8bba37 "ldap auth: Reassure django_auth_ldap".  The remaining one
had no test coverage -- the case that leads to it had a narrow unit
test, but no test had the exception actually propagate here.  As a
result, the clause was mistakenly cut, in commit
8d7f961a6 "LDAP: Remove now-impossible except clause.", which could
lead to an uncaught exception in production.

Restore the except clause, and add a test for it.
2017-09-28 18:26:39 -07:00
rht f01b629bf9 zproject: Remove absolute_import. 2017-09-27 20:20:07 -07:00
Tim Abbott 8d7f961a67 LDAP: Remove now-impossible except clause.
Since we made ZulipLDAPException a subclass of
_LDAPUser.AuthenticationFailed, the django-auth-ldap library already
handles catching it and returning None.

This fixes missing test coverage in this function introduced by
73e8bba379.
2017-09-26 21:33:50 -07:00
Greg Price 73e8bba379 ldap auth: Reassure django_auth_ldap our auth-failed exceptions are normal.
The main `authenticate` method in the django_auth_ldap package logs a message
at `exception` level if it passes through an exception it wasn't expecting.
Sensible practice, but we'd been passing through just such an exception for
any kind of routine authentication failure.  After we recently stopped suppressing
an arbitrary subset of loggers with `disable_existing_loggers`, these started
showing up noisily, including in tests.

So, make our exceptions expected.  Just like our own code, the upstream code
raises exceptions of a particular type for routine auth failures, and catches
them and just returns None.  We make our type derive from that one, so as to
just piggyback on that behavior.

Fixes an issue reported in a comment to #6674.
2017-09-26 21:00:41 -07:00
Supermanu 5f41f3c3cb backends.py: Expose backends that require email usernames 2017-09-15 10:29:02 -07:00
Supermanu 28beddfd76 backends.py: Enable auth with any ldap attributes as username.
This commit enables user to authenticate with any attribute set in
AUTH_LDAP_USER_SEARCH given that LDAP_EMAIL_ATTR is set to an email
attributes in the ldap server. Thus email and username can be
completely unrelated.

With some tweaks by tabbott to squash in the documentation and make it
work on older servers.
2017-09-15 10:28:41 -07:00
Greg Price 9cb9e0d687 Revert "mypy: Ensure realm_subdomain is not None in LDAP authenticate()."
I was too hasty in pushing this -- it looks right logically, but it
breaks a test.  May not be hard to fix forward, but reverting now to
unbreak the build in master.

This reverts commit 02acd467b4.
2017-08-09 20:12:27 -07:00
neiljp (Neil Pilgrim) 02acd467b4 mypy: Ensure realm_subdomain is not None in LDAP authenticate(). 2017-08-09 18:04:21 -07:00
Tim Abbott 53e4d8562b lint: Add a lint check for bare `type: ignore`s. 2017-07-27 16:31:55 -07:00
Greg Price e18baff32c JsonableError: Rename message from `error` to `msg`.
The whole thing is an error, so "message" is a more apt word for the
error message specifically.  We abbreviate that as `msg` in the actual
HTTP responses and in the signatures of `json_error` and friends, so
do the same here.
2017-07-24 16:41:22 -07:00
Umair Khan a4afca7b73 ldap: Don't authenticate if realm is None.
Fixes #5431
2017-06-21 10:14:34 -04:00
Aditya Bansal feb663ffb6 pep8: Add compliance with rule E261 backends.py. 2017-06-04 09:18:22 -07:00
umkay ccc70445d6 mypy: Fix strict-optional errors for test files.
Fix mypy --strict-optional errors in zerver/tests
2017-05-24 12:43:28 -07:00
Eklavya Sharma 13ee26019f zproject/backends.py: Check for None before use.
Check if the dict 'return_data' is None before setting attributes
on it.
2017-05-23 21:56:50 -07:00
Tim Abbott 5019b53492 auth: Pass is_signup option around. 2017-05-10 17:20:34 -07:00
Brock Whittaker 7afbc9ddd6 Redesign login and registration pages.
This completes a major redesign of the Zulip login and registration
pages, making them look much more slick and modern.

Major features include:
* Display of the realm name, description and icon on the login page
  and registration pages in the subdomains case.
* Much slicker looking buttons and input fields.
* A new overall style for the exterior of these portico pages.
2017-04-26 18:04:05 -07:00
Tim Abbott 55bea73035 Revert "github: Call the appropriate authenticate."
This reverts commit ab260731a9.

The overridden authenticate method was buggy.
2017-04-19 10:06:00 -07:00
Umair Khan ab260731a9 github: Call the appropriate authenticate.
This commit makes sure that GitHubAuthBackend will only authenticate
using its own authenticate method. This is done by adding a new
Python Social Auth strategy which instead of calling authenticate
method of Django, calls the authenticate of the backend directly.

The problem this commit solves is that while authenticating through
GitHub backend, we were ending up getting authenticated through
ZulipDummyBackend. This might happen because the default strategy used
by Python Social Auth calls the authenticate method of Django which
iterates over all the backends and tries the authenticate methods
which match with the function arguments. The new strategy this commit
adds calls the authenticate method of GitHub backend directly which
makes sense because we already know that we want to authenticate with
GithHub.

The actual problem of why we are ending up on ZulipDummyBackend is
still a mystery because the function arguments passed to its
authenticate method are different. It shouldn't be called.
2017-04-17 21:03:08 -07:00
Umair Khan 8e87ba439d github: Go to registration if email is invalid. 2017-04-04 18:03:33 -07:00
Umair Khan c5218fb584 github: Pass proper parameters to authenticate.
Django tries to authenticate against all backends one by one.
The authenticate() function of GitHub backend used to take
*args and **kwargs arguments due to which it could be called
against any set of arguments. Django uses arguments to
differentiate authenticate() methods.
2017-04-04 18:03:33 -07:00
Umair Khan f7860bca48 backends.py: Don't pass mutable default arguments.
Values of mutable default arguments are shared across all function
invocations. See
https://pythonconquerstheuniverse.wordpress.com/2012/02/15/mutable-default-arguments/
for further details.
2017-03-24 10:59:32 -07:00
Umair Khan 2dc2a6b705 github: Redirect to login page if invalid email. 2017-03-23 17:12:58 -07:00
Umair Khan 30c1e2245e github: Add docstrings to functions.
Docstring added to:
* auth_complete
* do_auth
2017-03-23 17:12:58 -07:00
Umair Khan 029a4e5696 backends.py: Update comment in process_do_auth. 2017-03-23 17:12:58 -07:00
Tim Abbott 5b0ff2a69a mypy: Fix some strict-optional related issues. 2017-03-19 22:26:25 -07:00
Umair Khan 0d296afa54 github: Return '' when name is None. 2017-03-15 11:11:09 -07:00
Umair Khan 1f60baba6b Handle social auth exception in auth_complete.
In case of an exception, we log it and return None which results in a
redirect to the login page.
2017-03-07 19:46:40 -08:00
Raghav Jajodia a3a03bd6a5 mypy: Added Dict, List and Set imports.
Fixed mypy errors associated with the upgrade.
2017-03-04 14:33:44 -08:00
Rishi Gupta 28d3af0965 Fix several new errors caught by mypy 0.501.
Clear out a bunch of easy to review errors, so we can focus on the more
complicated ones.
2017-03-03 14:12:52 -08:00
Umair Khan 802de53ede backend: Handle GitHub authentication failure.
In case of AuthFailed exception return None.
2017-02-28 09:55:37 -08:00
Tim Abbott 84b18f865a users: Verify full names explicitly in account registration.
I believe this completes the project of ensuring that our recent work
on limiting what characters can appears in users' full names covers
the entire codebase.
2017-02-07 20:20:32 -08:00
Harshit Bansal 8c428dc130 Fix `ZulipLDAPAuthBackend` not to rely on user's email domain.
In case realms have subdomains and the user hasn't been populated
yet in the Django User model, `ZulipLDAPAuthBackend` should not
rely on user's email domain to determine in which realm it should
be created in.

Fixes: #2227.
2017-01-25 15:24:49 -08:00
Tim Abbott d6e38e2a5c lint: Clean up E123 PEP-8 rule. 2017-01-23 21:34:26 -08:00
sinwar b0efa58eb4 requirements: Upgrade python-social-auth to latest version
Fixes #3403
2017-01-21 21:22:59 +05:30
Tim Abbott da84ff3746 backends: Fix some slightly confusing error messages. 2017-01-11 18:08:29 -08:00
JefftheBest1 71d34e91bd Fixed typos in backends.py 2017-01-12 13:05:50 +11:00
Tim Abbott f3b5683e77 views: Rename __init__.py to zerver.views.registration.
This completes the cleanup process of eliminating functions in the
root zerver/views/__init__.py module.
2017-01-08 16:21:15 -08:00
Rishi Gupta 717afcb408 Remove calls to get_realm in preparation for its deprecation.
Also removes two calls to email_to_domain.
2016-12-26 17:53:32 -08:00
Umair Khan 8e30530cc5 subdomains: Make GitHub login work with subdomains.
Fixes #2501.
2016-12-14 11:09:39 -08:00
Umair Khan 2fc6b9a0e4 backends.py: Return type of do_auth should be HttpResponse. 2016-12-14 11:08:53 -08:00
anirudhjain75 beaa62cafa mypy: Convert several directories to use typing.Text.
Specifically, these directories are converted: [analytics/, scripts/,
tools/, zerver/management/, zilencer/, zproject/]
2016-12-07 20:51:05 -08:00
Rafid Aslam 41bd88d5ed pep8: Fix E301 pep8 violations.
Fix "E301: expected (1 or 2) blank line" pep8 violations.
2016-11-29 08:51:44 -08:00
Rishi Gupta c1713c9659 Prevent code from using email domain to determine realm when subdomains.
Also removes the intermediate step of going through Realm.domain in the
non-subdomains case. Part of a larger project to remove Realm.domain
entirely.
2016-11-11 15:26:51 -08:00
umkay 21c024fc29 auth: Make supported authentication backends a bitfield on realm.
This makes it possible to configure only certain authentication
methods to be enabled on a per-realm basis.

Note that the authentication_methods_dict function (which checks what
backends are supported on the realm) requires an in function import
due to a circular dependency.
2016-11-06 16:16:24 -08:00
Tim Abbott b41c15fa05 auth: Reject authentication if auth backends are disabled. 2016-11-06 16:16:22 -08:00
Tim Abbott 30ab27c843 auth: Separate email_auth_enabled from ldap_auth_enabled. 2016-11-06 16:16:16 -08:00
Tim Abbott f8bb55f9c1 auth: Refactor auth backend enabled checking code. 2016-11-06 16:16:12 -08:00
Tim Abbott 3a3cee411d auth: Remove old password_auth_enabled hack.
This was used by an old configuration for zulip.com, which is no
longer in production use.
2016-11-06 14:50:15 -08:00
Umair Khan 50422e775b Add LDAP tests. 2016-10-28 09:27:55 -07:00