jan/openreplay
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Api v1.15.0 (#1608)

Browse source 
* fix(chalice): fixed update modules
* fix(chalice): fixed update modules
* fix(chalice): fixed SSO
This commit is contained in:
Kraiem Taha Yassine 2023-11-03 20:51:49 +01:00 committed by GitHub
parent dbb613c752
commit f249b7aa94
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 37 additions and 60 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
ee/api/chalicelib/core/users.py
View file

@ -169,19 +169,7 @@ def update(tenant_id, user_id, changes, output=True):
FROM public.basic_authentication
WHERE users.user_id = %(user_id)s
AND users.tenant_id = %(tenant_id)s
AND users.user_id = basic_authentication.user_id
RETURNING users.user_id,
users.email,
users.role,
users.name,
(CASE WHEN users.role = 'owner' THEN TRUE ELSE FALSE END) AS super_admin,
(CASE WHEN users.role = 'admin' THEN TRUE ELSE FALSE END) AS admin,
(CASE WHEN users.role = 'member' THEN TRUE ELSE FALSE END) AS member,
users.role_id,
(SELECT roles.name
FROM roles
WHERE roles.tenant_id=%(tenant_id)s
AND roles.role_id=users.role_id) AS role_name;""",
AND users.user_id = basic_authentication.user_id;""",
{"tenant_id": tenant_id, "user_id": user_id, **changes})
)
if len(sub_query_bauth) > 0:
@ -192,19 +180,7 @@ def update(tenant_id, user_id, changes, output=True):
FROM public.users AS users
WHERE basic_authentication.user_id = %(user_id)s
AND users.tenant_id = %(tenant_id)s
AND users.user_id = basic_authentication.user_id
RETURNING users.user_id AS id,
users.email,
users.role,
users.name,
(CASE WHEN users.role = 'owner' THEN TRUE ELSE FALSE END) AS super_admin,
(CASE WHEN users.role = 'admin' THEN TRUE ELSE FALSE END) AS admin,
(CASE WHEN users.role = 'member' THEN TRUE ELSE FALSE END) AS member,
users.role_id,
(SELECT roles.name
FROM roles
WHERE roles.tenant_id=%(tenant_id)s
AND roles.role_id=users.role_id) AS role_name;""",
AND users.user_id = basic_authentication.user_id;""",
{"tenant_id": tenant_id, "user_id": user_id, **changes})
)
if not output:
@ -396,7 +372,7 @@ def get_by_email_only(email):
cur.execute(
cur.mogrify(
f"""SELECT
users.user_id AS id,
users.user_id,
users.tenant_id,
users.email,
users.role,
@ -879,7 +855,7 @@ def authenticate_sso(email, internal_id, exp=None):
if r["serviceAccount"]:
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED,
detail="service account is not authorized to login")
jwt_iat = TimeUTC.datetime_to_timestamp(change_jwt_iat(r['userId']))
jwt_iat = TimeUTC.datetime_to_timestamp(refresh_jwt_iat_jti(r['userId']))
return authorizers.generate_jwt(r['userId'], r['tenantId'],
iat=jwt_iat, aud=f"front:{helper.get_stage_name()}",
exp=(exp + jwt_iat // 1000) if exp is not None else None)

65
ee/api/routers/saml.py
View file

@ -3,6 +3,9 @@ from fastapi import HTTPException, Request, Response, status
from chalicelib.utils import SAML2_helper
from chalicelib.utils.SAML2_helper import prepare_request, init_saml_auth
from routers.base import get_routers
import logging
logger = logging.getLogger(__name__)
public_app, app, app_apikey = get_routers()
from decouple import config
@ -41,31 +44,30 @@ async def process_sso_assertion(request: Request):
if 'AuthNRequestID' in session:
del session['AuthNRequestID']
user_data = auth.get_attributes()
elif auth.get_settings().is_debug_active():
else:
error_reason = auth.get_last_error_reason()
print("SAML2 error:")
print(error_reason)
logger.error("SAML2 error:")
logger.error(error_reason)
return {"errors": [error_reason]}
email = auth.get_nameid()
print("received nameId:")
print(email)
logger.debug(f"received nameId: {email}")
existing = users.get_by_email_only(auth.get_nameid())
internal_id = next(iter(user_data.get("internalId", [])), None)
tenant_key = user_data.get("tenantKey", [])
if len(tenant_key) == 0:
print("tenantKey not present in assertion, please check your SP-assertion-configuration")
logger.error("tenantKey not present in assertion, please check your SP-assertion-configuration")
return {"errors": ["tenantKey not present in assertion, please check your SP-assertion-configuration"]}
else:
t = tenants.get_by_tenant_key(tenant_key[0])
if t is None:
print("invalid tenantKey, please copy the correct value from Preferences > Account")
logger.error("invalid tenantKey, please copy the correct value from Preferences > Account")
return {"errors": ["invalid tenantKey, please copy the correct value from Preferences > Account"]}
print(user_data)
logger.debug(user_data)
role_name = user_data.get("role", [])
if len(role_name) == 0:
print("No role specified, setting role to member")
logger.info("No role specified, setting role to member")
role_name = ["member"]
role_name = role_name[0]
role = roles.get_role_by_name(tenant_id=t['tenantId'], name=role_name)
@ -80,24 +82,24 @@ async def process_sso_assertion(request: Request):
if existing is None:
deleted = users.get_deleted_user_by_email(auth.get_nameid())
if deleted is not None:
print("== restore deleted user ==")
logger.info("== restore deleted user ==")
users.restore_sso_user(user_id=deleted["userId"], tenant_id=t['tenantId'], email=email,
admin=admin_privileges, origin=SAML2_helper.get_saml2_provider(),
name=" ".join(user_data.get("firstName", []) + user_data.get("lastName", [])),
internal_id=internal_id, role_id=role["roleId"])
else:
print("== new user ==")
logger.info("== new user ==")
users.create_sso_user(tenant_id=t['tenantId'], email=email, admin=admin_privileges,
origin=SAML2_helper.get_saml2_provider(),
name=" ".join(user_data.get("firstName", []) + user_data.get("lastName", [])),
internal_id=internal_id, role_id=role["roleId"])
else:
if t['tenantId'] != existing["tenantId"]:
print("user exists for a different tenant")
logger.warning("user exists for a different tenant")
return {"errors": ["user exists for a different tenant"]}
if existing.get("origin") is None:
print(f"== migrating user to {SAML2_helper.get_saml2_provider()} ==")
users.update(tenant_id=t['tenantId'], user_id=existing["id"],
logger.info(f"== migrating user to {SAML2_helper.get_saml2_provider()} ==")
users.update(tenant_id=t['tenantId'], user_id=existing["userId"],
changes={"origin": SAML2_helper.get_saml2_provider(), "internal_id": internal_id})
expiration = auth.get_session_expiration()
expiration = expiration if expiration is not None and expiration > 10 * 60 \
@ -128,27 +130,26 @@ async def process_sso_assertion_tk(tenantKey: str, request: Request):
if 'AuthNRequestID' in session:
del session['AuthNRequestID']
user_data = auth.get_attributes()
elif auth.get_settings().is_debug_active():
else:
error_reason = auth.get_last_error_reason()
print("SAML2 error:")
print(error_reason)
logger.error("SAML2 error:")
logger.error(error_reason)
return {"errors": [error_reason]}
email = auth.get_nameid()
print("received nameId:")
print(email)
logger.debug(f"received nameId: {email}")
existing = users.get_by_email_only(auth.get_nameid())
internal_id = next(iter(user_data.get("internalId", [])), None)
t = tenants.get_by_tenant_key(tenantKey)
if t is None:
print("invalid tenantKey, please copy the correct value from Preferences > Account")
logger.error("invalid tenantKey, please copy the correct value from Preferences > Account")
return {"errors": ["invalid tenantKey, please copy the correct value from Preferences > Account"]}
print(user_data)
logger.debug(user_data)
role_name = user_data.get("role", [])
if len(role_name) == 0:
print("No role specified, setting role to member")
logger.info("No role specified, setting role to member")
role_name = ["member"]
role_name = role_name[0]
role = roles.get_role_by_name(tenant_id=t['tenantId'], name=role_name)
@ -163,24 +164,24 @@ async def process_sso_assertion_tk(tenantKey: str, request: Request):
if existing is None:
deleted = users.get_deleted_user_by_email(auth.get_nameid())
if deleted is not None:
print("== restore deleted user ==")
logger.info("== restore deleted user ==")
users.restore_sso_user(user_id=deleted["userId"], tenant_id=t['tenantId'], email=email,
admin=admin_privileges, origin=SAML2_helper.get_saml2_provider(),
name=" ".join(user_data.get("firstName", []) + user_data.get("lastName", [])),
internal_id=internal_id, role_id=role["roleId"])
else:
print("== new user ==")
logger.info("== new user ==")
users.create_sso_user(tenant_id=t['tenantId'], email=email, admin=admin_privileges,
origin=SAML2_helper.get_saml2_provider(),
name=" ".join(user_data.get("firstName", []) + user_data.get("lastName", [])),
internal_id=internal_id, role_id=role["roleId"])
else:
if t['tenantId'] != existing["tenantId"]:
print("user exists for a different tenant")
logger.warning("user exists for a different tenant")
return {"errors": ["user exists for a different tenant"]}
if existing.get("origin") is None:
print(f"== migrating user to {SAML2_helper.get_saml2_provider()} ==")
users.update(tenant_id=t['tenantId'], user_id=existing["id"],
logger.info(f"== migrating user to {SAML2_helper.get_saml2_provider()} ==")
users.update(tenant_id=t['tenantId'], user_id=existing["userId"],
changes={"origin": SAML2_helper.get_saml2_provider(), "internal_id": internal_id})
expiration = auth.get_session_expiration()
expiration = expiration if expiration is not None and expiration > 10 * 60 \
@ -215,13 +216,13 @@ async def process_sls_assertion(request: Request):
user_email = logout_request.get_nameid(auth.get_last_request_xml())
to_logout = users.get_by_email_only(user_email)
if len(to_logout) > 0:
to_logout = to_logout[0]['id']
users.change_jwt_iat(to_logout)
if to_logout is not None:
to_logout = to_logout['userId']
users.refresh_jwt_iat_jti(to_logout)
else:
print("Unknown user SLS-Request By IdP")
logger.warning("Unknown user SLS-Request By IdP")
else:
print("Preprocessed SLS-Request by SP")
logger.info("Preprocessed SLS-Request by SP")
if url is not None:
return RedirectResponse(url=url)