feat(api): user's SSO login check

2021-12-02 18:52:15 +01:00 · 2021-12-02 18:52:15 +01:00 · 779d4fba44
commit 779d4fba44
parent 7a4977931d
2 changed files with 16 additions and 7 deletions
--- a/ee/api/chalicelib/blueprints/bp_core_dynamic.py
+++ b/ee/api/chalicelib/blueprints/bp_core_dynamic.py
@ -26,9 +26,7 @@ def login():
    data = app.current_request.json_body
    if helper.allow_captcha() and not captcha.is_valid(data["g-recaptcha-response"]):
        return {"errors": ["Invalid captcha."]}
-    r = users.authenticate(data['email'], data['password'],
-                           for_plugin=False
-                           )
+    r = users.authenticate(data['email'], data['password'], for_plugin=False)
    if r is None:
        return Response(status_code=401, body={
            'errors': ['You’ve entered invalid Email or Password.']
--- a/ee/api/chalicelib/core/users.py
+++ b/ee/api/chalicelib/core/users.py
@ -4,7 +4,7 @@ import secrets
 from chalicelib.core import assist
 from chalicelib.core import authorizers, metadata, projects
 from chalicelib.core import tenants
-from chalicelib.utils import dev
+from chalicelib.utils import dev, SAML2_helper
 from chalicelib.utils import helper
 from chalicelib.utils import pg_client
 from chalicelib.utils.TimeUTC import TimeUTC
@ -293,7 +293,7 @@ def generate_new_api_key(user_id):


 def edit(user_id_to_update, tenant_id, changes, editor_id):
-    ALLOW_EDIT = ["name", "email", "admin", "appearance","roleId"]
+    ALLOW_EDIT = ["name", "email", "admin", "appearance", "roleId"]
    user = get(user_id=user_id_to_update, tenant_id=tenant_id)
    if editor_id != user_id_to_update or "admin" in changes and changes["admin"] != user["admin"]:
        admin = get(tenant_id=tenant_id, user_id=editor_id)
@ -629,9 +629,20 @@ def authenticate(email, password, for_change_password=False, for_plugin=False):

        cur.execute(query)
        r = cur.fetchone()
+        if r is None and SAML2_helper.is_saml2_available():
+            query = cur.mogrify(
+                f"""SELECT 1
+                    FROM public.users
+                    WHERE users.email = %(email)s 
+                        AND users.deleted_at IS NULL
+                        AND users.origin IS NOT NULL
+                    LIMIT 1;""",
+                {"email": email})
+            cur.execute(query)
+            if cur.fetchone() is not None:
+                return {"errors": ["must sign-in with SSO"]}
+
    if r is not None:
-        if r["origin"] is not None:
-            return {"errors": ["must sign-in with SSO"]}
        if for_change_password:
            return True
        r = helper.dict_to_camel_case(r, ignore_keys=["appearance"])