diff --git a/ee/api/chalicelib/core/users.py b/ee/api/chalicelib/core/users.py index 19e1d96e1..2529f544f 100644 --- a/ee/api/chalicelib/core/users.py +++ b/ee/api/chalicelib/core/users.py @@ -169,19 +169,7 @@ def update(tenant_id, user_id, changes, output=True): FROM public.basic_authentication WHERE users.user_id = %(user_id)s AND users.tenant_id = %(tenant_id)s - AND users.user_id = basic_authentication.user_id - RETURNING users.user_id, - users.email, - users.role, - users.name, - (CASE WHEN users.role = 'owner' THEN TRUE ELSE FALSE END) AS super_admin, - (CASE WHEN users.role = 'admin' THEN TRUE ELSE FALSE END) AS admin, - (CASE WHEN users.role = 'member' THEN TRUE ELSE FALSE END) AS member, - users.role_id, - (SELECT roles.name - FROM roles - WHERE roles.tenant_id=%(tenant_id)s - AND roles.role_id=users.role_id) AS role_name;""", + AND users.user_id = basic_authentication.user_id;""", {"tenant_id": tenant_id, "user_id": user_id, **changes}) ) if len(sub_query_bauth) > 0: @@ -192,19 +180,7 @@ def update(tenant_id, user_id, changes, output=True): FROM public.users AS users WHERE basic_authentication.user_id = %(user_id)s AND users.tenant_id = %(tenant_id)s - AND users.user_id = basic_authentication.user_id - RETURNING users.user_id AS id, - users.email, - users.role, - users.name, - (CASE WHEN users.role = 'owner' THEN TRUE ELSE FALSE END) AS super_admin, - (CASE WHEN users.role = 'admin' THEN TRUE ELSE FALSE END) AS admin, - (CASE WHEN users.role = 'member' THEN TRUE ELSE FALSE END) AS member, - users.role_id, - (SELECT roles.name - FROM roles - WHERE roles.tenant_id=%(tenant_id)s - AND roles.role_id=users.role_id) AS role_name;""", + AND users.user_id = basic_authentication.user_id;""", {"tenant_id": tenant_id, "user_id": user_id, **changes}) ) if not output: @@ -396,7 +372,7 @@ def get_by_email_only(email): cur.execute( cur.mogrify( f"""SELECT - users.user_id AS id, + users.user_id, users.tenant_id, users.email, users.role, @@ -879,7 +855,7 @@ def authenticate_sso(email, internal_id, exp=None): if r["serviceAccount"]: raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="service account is not authorized to login") - jwt_iat = TimeUTC.datetime_to_timestamp(change_jwt_iat(r['userId'])) + jwt_iat = TimeUTC.datetime_to_timestamp(refresh_jwt_iat_jti(r['userId'])) return authorizers.generate_jwt(r['userId'], r['tenantId'], iat=jwt_iat, aud=f"front:{helper.get_stage_name()}", exp=(exp + jwt_iat // 1000) if exp is not None else None) diff --git a/ee/api/routers/saml.py b/ee/api/routers/saml.py index cf52aa720..9451f4484 100644 --- a/ee/api/routers/saml.py +++ b/ee/api/routers/saml.py @@ -3,6 +3,9 @@ from fastapi import HTTPException, Request, Response, status from chalicelib.utils import SAML2_helper from chalicelib.utils.SAML2_helper import prepare_request, init_saml_auth from routers.base import get_routers +import logging + +logger = logging.getLogger(__name__) public_app, app, app_apikey = get_routers() from decouple import config @@ -41,31 +44,30 @@ async def process_sso_assertion(request: Request): if 'AuthNRequestID' in session: del session['AuthNRequestID'] user_data = auth.get_attributes() - elif auth.get_settings().is_debug_active(): + else: error_reason = auth.get_last_error_reason() - print("SAML2 error:") - print(error_reason) + logger.error("SAML2 error:") + logger.error(error_reason) return {"errors": [error_reason]} email = auth.get_nameid() - print("received nameId:") - print(email) + logger.debug(f"received nameId: {email}") existing = users.get_by_email_only(auth.get_nameid()) internal_id = next(iter(user_data.get("internalId", [])), None) tenant_key = user_data.get("tenantKey", []) if len(tenant_key) == 0: - print("tenantKey not present in assertion, please check your SP-assertion-configuration") + logger.error("tenantKey not present in assertion, please check your SP-assertion-configuration") return {"errors": ["tenantKey not present in assertion, please check your SP-assertion-configuration"]} else: t = tenants.get_by_tenant_key(tenant_key[0]) if t is None: - print("invalid tenantKey, please copy the correct value from Preferences > Account") + logger.error("invalid tenantKey, please copy the correct value from Preferences > Account") return {"errors": ["invalid tenantKey, please copy the correct value from Preferences > Account"]} - print(user_data) + logger.debug(user_data) role_name = user_data.get("role", []) if len(role_name) == 0: - print("No role specified, setting role to member") + logger.info("No role specified, setting role to member") role_name = ["member"] role_name = role_name[0] role = roles.get_role_by_name(tenant_id=t['tenantId'], name=role_name) @@ -80,24 +82,24 @@ async def process_sso_assertion(request: Request): if existing is None: deleted = users.get_deleted_user_by_email(auth.get_nameid()) if deleted is not None: - print("== restore deleted user ==") + logger.info("== restore deleted user ==") users.restore_sso_user(user_id=deleted["userId"], tenant_id=t['tenantId'], email=email, admin=admin_privileges, origin=SAML2_helper.get_saml2_provider(), name=" ".join(user_data.get("firstName", []) + user_data.get("lastName", [])), internal_id=internal_id, role_id=role["roleId"]) else: - print("== new user ==") + logger.info("== new user ==") users.create_sso_user(tenant_id=t['tenantId'], email=email, admin=admin_privileges, origin=SAML2_helper.get_saml2_provider(), name=" ".join(user_data.get("firstName", []) + user_data.get("lastName", [])), internal_id=internal_id, role_id=role["roleId"]) else: if t['tenantId'] != existing["tenantId"]: - print("user exists for a different tenant") + logger.warning("user exists for a different tenant") return {"errors": ["user exists for a different tenant"]} if existing.get("origin") is None: - print(f"== migrating user to {SAML2_helper.get_saml2_provider()} ==") - users.update(tenant_id=t['tenantId'], user_id=existing["id"], + logger.info(f"== migrating user to {SAML2_helper.get_saml2_provider()} ==") + users.update(tenant_id=t['tenantId'], user_id=existing["userId"], changes={"origin": SAML2_helper.get_saml2_provider(), "internal_id": internal_id}) expiration = auth.get_session_expiration() expiration = expiration if expiration is not None and expiration > 10 * 60 \ @@ -128,27 +130,26 @@ async def process_sso_assertion_tk(tenantKey: str, request: Request): if 'AuthNRequestID' in session: del session['AuthNRequestID'] user_data = auth.get_attributes() - elif auth.get_settings().is_debug_active(): + else: error_reason = auth.get_last_error_reason() - print("SAML2 error:") - print(error_reason) + logger.error("SAML2 error:") + logger.error(error_reason) return {"errors": [error_reason]} email = auth.get_nameid() - print("received nameId:") - print(email) + logger.debug(f"received nameId: {email}") existing = users.get_by_email_only(auth.get_nameid()) internal_id = next(iter(user_data.get("internalId", [])), None) t = tenants.get_by_tenant_key(tenantKey) if t is None: - print("invalid tenantKey, please copy the correct value from Preferences > Account") + logger.error("invalid tenantKey, please copy the correct value from Preferences > Account") return {"errors": ["invalid tenantKey, please copy the correct value from Preferences > Account"]} - print(user_data) + logger.debug(user_data) role_name = user_data.get("role", []) if len(role_name) == 0: - print("No role specified, setting role to member") + logger.info("No role specified, setting role to member") role_name = ["member"] role_name = role_name[0] role = roles.get_role_by_name(tenant_id=t['tenantId'], name=role_name) @@ -163,24 +164,24 @@ async def process_sso_assertion_tk(tenantKey: str, request: Request): if existing is None: deleted = users.get_deleted_user_by_email(auth.get_nameid()) if deleted is not None: - print("== restore deleted user ==") + logger.info("== restore deleted user ==") users.restore_sso_user(user_id=deleted["userId"], tenant_id=t['tenantId'], email=email, admin=admin_privileges, origin=SAML2_helper.get_saml2_provider(), name=" ".join(user_data.get("firstName", []) + user_data.get("lastName", [])), internal_id=internal_id, role_id=role["roleId"]) else: - print("== new user ==") + logger.info("== new user ==") users.create_sso_user(tenant_id=t['tenantId'], email=email, admin=admin_privileges, origin=SAML2_helper.get_saml2_provider(), name=" ".join(user_data.get("firstName", []) + user_data.get("lastName", [])), internal_id=internal_id, role_id=role["roleId"]) else: if t['tenantId'] != existing["tenantId"]: - print("user exists for a different tenant") + logger.warning("user exists for a different tenant") return {"errors": ["user exists for a different tenant"]} if existing.get("origin") is None: - print(f"== migrating user to {SAML2_helper.get_saml2_provider()} ==") - users.update(tenant_id=t['tenantId'], user_id=existing["id"], + logger.info(f"== migrating user to {SAML2_helper.get_saml2_provider()} ==") + users.update(tenant_id=t['tenantId'], user_id=existing["userId"], changes={"origin": SAML2_helper.get_saml2_provider(), "internal_id": internal_id}) expiration = auth.get_session_expiration() expiration = expiration if expiration is not None and expiration > 10 * 60 \ @@ -215,13 +216,13 @@ async def process_sls_assertion(request: Request): user_email = logout_request.get_nameid(auth.get_last_request_xml()) to_logout = users.get_by_email_only(user_email) - if len(to_logout) > 0: - to_logout = to_logout[0]['id'] - users.change_jwt_iat(to_logout) + if to_logout is not None: + to_logout = to_logout['userId'] + users.refresh_jwt_iat_jti(to_logout) else: - print("Unknown user SLS-Request By IdP") + logger.warning("Unknown user SLS-Request By IdP") else: - print("Preprocessed SLS-Request by SP") + logger.info("Preprocessed SLS-Request by SP") if url is not None: return RedirectResponse(url=url)