Dev (#2496)

* fix(chalice): fixed Math-operators validation refactor(chalice): search for sessions that have events for heatmaps * refactor(chalice): search for sessions that have at least 1 location event for heatmaps * fix(chalice): fixed Math-operators validation refactor(chalice): search for sessions that have events for heatmaps * refactor(chalice): search for sessions that have at least 1 location event for heatmaps * feat(chalice): autocomplete return top 10 with stats * fix(chalice): fixed autocomplete top 10 meta-filters * feat(chalice): Update user on SSO refactor(chalice): refactored SSO
2024-08-16 18:35:05 +02:00 · 2024-08-16 18:35:05 +02:00 · 0de1c361ba
commit 0de1c361ba
parent 1b83e77fd3
3 changed files with 68 additions and 36 deletions
--- a/ee/api/chalicelib/core/users.py
+++ b/ee/api/chalicelib/core/users.py
@ -379,8 +379,12 @@ def get_by_email_only(email):
                        (CASE WHEN users.role = 'admin' THEN TRUE ELSE FALSE END)  AS admin,
                        (CASE WHEN users.role = 'member' THEN TRUE ELSE FALSE END) AS member,
                        origin,
-                        basic_authentication.password IS NOT NULL AS has_password
-                    FROM public.users LEFT JOIN public.basic_authentication ON users.user_id=basic_authentication.user_id
+                        basic_authentication.password IS NOT NULL AS has_password,
+                        role_id,
+                        internal_id,
+                        roles.name AS role_name
+                    FROM public.users LEFT JOIN public.basic_authentication USING(user_id)
+                                      INNER JOIN public.roles USING(role_id)
                    WHERE users.email = %(email)s                     
                     AND users.deleted_at IS NULL
                    LIMIT 1;""",
--- a/ee/api/chalicelib/utils/SAML2_helper.py
+++ b/ee/api/chalicelib/utils/SAML2_helper.py
@ -11,7 +11,11 @@ from starlette.datastructures import FormData
 if config("ENABLE_SSO", cast=bool, default=True):
    from onelogin.saml2.auth import OneLogin_Saml2_Auth

-API_PREFIX = "/api"
+if config("LOCAL_DEV", default=False, cast=bool):
+    API_PREFIX = ""
+else:
+    API_PREFIX = "/api"
+
 SAML2 = {
    "strict": config("saml_strict", cast=bool, default=True),
    "debug": config("saml_debug", cast=bool, default=True),
--- a/ee/api/routers/saml.py
+++ b/ee/api/routers/saml.py
@ -1,8 +1,12 @@
 import json
 import logging

+from decouple import config
 from fastapi import HTTPException, Request, Response, status
+from onelogin.saml2.auth import OneLogin_Saml2_Logout_Request
+from starlette.responses import RedirectResponse

+from chalicelib.core import users, tenants, roles
 from chalicelib.utils import SAML2_helper
 from chalicelib.utils.SAML2_helper import prepare_request, init_saml_auth
 from routers.base import get_routers
@ -10,12 +14,6 @@ from routers.base import get_routers
 logger = logging.getLogger(__name__)

 public_app, app, app_apikey = get_routers()
-from decouple import config
-
-from onelogin.saml2.auth import OneLogin_Saml2_Logout_Request
-
-from chalicelib.core import users, tenants, roles
-from starlette.responses import RedirectResponse


@public_app.get("/sso/saml2", tags=["saml2"])
@ -28,7 +26,7 @@ async def start_sso(request: Request, iFrame: bool = False, spot: bool = False):
    return RedirectResponse(url=sso_built_url)


-async def __process_assertion(request: Request, tenant_key=None):
+async def __process_assertion(request: Request, tenant_key=None) -> Response | dict:
    req = await prepare_request(request=request)
    session = req["cookie"]["session"]
    auth = init_saml_auth(req)
@ -91,45 +89,71 @@ async def __process_assertion(request: Request, tenant_key=None):
        if t is None:
            logger.error("invalid tenantKey, please copy the correct value from Preferences > Account")
            return {"errors": ["invalid tenantKey, please copy the correct value from Preferences > Account"]}
-    existing = users.get_by_email_only(auth.get_nameid())
+    existing = users.get_by_email_only(email)
+    role_names = user_data.get("role", [])
+    if len(role_names) == 0:
+        logger.info("No role specified, setting role to member")
+        role_names = ["member"]
+    role = None
+    for r in role_names:
+        if r.lower() == existing["roleName"].lower():
+            role = {"roleId": existing["roleId"], "name": r}
+        else:
+            role = roles.get_role_by_name(tenant_id=t['tenantId'], name=r)
+
+        if role is not None:
+            break
+
+    if role is None:
+        return {"errors": [f"role '{role_names}' not found, please create it in OpenReplay first"]}
+    logger.info(f"received roles:{role_names}; using:{role['name']}")
+    admin_privileges = user_data.get("adminPrivileges", [])
+    admin_privileges = not (len(admin_privileges) == 0
+                            or admin_privileges[0] is None
+                            or admin_privileges[0].lower() == "false")
+
    internal_id = next(iter(user_data.get("internalId", [])), None)
-
+    full_name = " ".join(user_data.get("firstName", []) + user_data.get("lastName", []))
    if existing is None:
-        role_name = user_data.get("role", [])
-        if len(role_name) == 0:
-            logger.info("No role specified, setting role to member")
-            role_name = ["member"]
-        role_name = role_name[0]
-        role = roles.get_role_by_name(tenant_id=t['tenantId'], name=role_name)
-        if role is None:
-            return {"errors": [f"role {role_name}  not found, please create it in openreplay first"]}
-
-        admin_privileges = user_data.get("adminPrivileges", [])
-        admin_privileges = not (len(admin_privileges) == 0
-                                or admin_privileges[0] is None
-                                or admin_privileges[0].lower() == "false")
-
        deleted = users.get_deleted_user_by_email(auth.get_nameid())
        if deleted is not None:
            logger.info("== restore deleted user ==")
            users.restore_sso_user(user_id=deleted["userId"], tenant_id=t['tenantId'], email=email,
                                   admin=admin_privileges, origin=SAML2_helper.get_saml2_provider(),
-                                   name=" ".join(user_data.get("firstName", []) + user_data.get("lastName", [])),
-                                   internal_id=internal_id, role_id=role["roleId"])
+                                   name=full_name, internal_id=internal_id, role_id=role["roleId"])
        else:
            logger.info("== new user ==")
            users.create_sso_user(tenant_id=t['tenantId'], email=email, admin=admin_privileges,
                                  origin=SAML2_helper.get_saml2_provider(),
-                                  name=" ".join(user_data.get("firstName", []) + user_data.get("lastName", [])),
-                                  internal_id=internal_id, role_id=role["roleId"])
+                                  name=full_name, internal_id=internal_id, role_id=role["roleId"])
    else:
        if t['tenantId'] != existing["tenantId"]:
            logger.warning("user exists for a different tenant")
            return {"errors": ["user exists for a different tenant"]}
-        if existing.get("origin") is None:
-            logger.info(f"== migrating user to {SAML2_helper.get_saml2_provider()} ==")
-            users.update(tenant_id=t['tenantId'], user_id=existing["userId"],
-                         changes={"origin": SAML2_helper.get_saml2_provider(), "internal_id": internal_id})
+        # Check difference between existing user and received data
+        received_data = {
+            "role": "admin" if admin_privileges else "member",
+            "origin": SAML2_helper.get_saml2_provider(),
+            "name": full_name,
+            "internal_id": internal_id,
+            "role_id": role["roleId"]
+        }
+        existing_data = {
+            "role": "admin" if existing["admin"] else "member",
+            "origin": existing["origin"],
+            "name": existing["name"],
+            "internal_id": existing["internalId"],
+            "role_id": existing["roleId"]
+        }
+        to_update = {}
+        for k in existing_data.keys():
+            if (k != "role" or not existing["superAdmin"]) and existing_data[k] != received_data[k]:
+                to_update[k] = received_data[k]
+
+        if len(to_update.keys()) > 0:
+            logger.info(f"== Updating user:{existing['userId']}: {to_update} ==")
+            users.update(tenant_id=t['tenantId'], user_id=existing["userId"], changes=to_update)
+
    jwt = users.authenticate_sso(email=email, internal_id=internal_id, include_spot=spot)
    if jwt is None:
        return {"errors": ["null JWT"]}
@ -150,13 +174,13 @@ async def __process_assertion(request: Request, tenant_key=None):
@public_app.post('/sso/saml2/acs', tags=["saml2"])
@public_app.post('/sso/saml2/acs/', tags=["saml2"])
 async def process_sso_assertion(request: Request):
-    return await __process_assertion(request)
+    return await __process_assertion(request=request)


@public_app.post('/sso/saml2/acs/{tenantKey}', tags=["saml2"])
@public_app.post('/sso/saml2/acs/{tenantKey}/', tags=["saml2"])
 async def process_sso_assertion_tk(tenantKey: str, request: Request):
-    return await __process_assertion(request, tenantKey)
+    return await __process_assertion(request=request, tenant_key=tenantKey)


@public_app.get('/sso/saml2/sls', tags=["saml2"])