|
6 | 6 | import logging |
7 | 7 |
|
8 | 8 | from flask import redirect, request, jsonify, url_for |
| 9 | +from werkzeug.exceptions import Unauthorized |
9 | 10 |
|
10 | 11 | from redash import models, settings |
| 12 | +from redash.settings.organization import settings as org_settings |
| 13 | +from redash.authentication import jwt_auth |
11 | 14 | from redash.authentication.org_resolving import current_org |
12 | 15 | from redash.tasks import record_event |
13 | 16 |
|
@@ -48,6 +51,21 @@ def load_user(user_id): |
48 | 51 | return None |
49 | 52 |
|
50 | 53 |
|
| 54 | +def request_loader(request): |
| 55 | + user = None |
| 56 | + if settings.AUTH_TYPE == 'hmac': |
| 57 | + user = hmac_load_user_from_request(request) |
| 58 | + elif settings.AUTH_TYPE == 'api_key': |
| 59 | + user = api_key_load_user_from_request(request) |
| 60 | + else: |
| 61 | + logger.warning("Unknown authentication type ({}). Using default (HMAC).".format(settings.AUTH_TYPE)) |
| 62 | + user = hmac_load_user_from_request(request) |
| 63 | + |
| 64 | + if org_settings['auth_jwt_login_enabled'] and user is None: |
| 65 | + user = jwt_token_load_user_from_request(request) |
| 66 | + return user |
| 67 | + |
| 68 | + |
51 | 69 | def hmac_load_user_from_request(request): |
52 | 70 | signature = request.args.get('signature') |
53 | 71 | expires = float(request.args.get('expires') or 0) |
@@ -116,6 +134,40 @@ def api_key_load_user_from_request(request): |
116 | 134 | return user |
117 | 135 |
|
118 | 136 |
|
| 137 | +def jwt_token_load_user_from_request(request): |
| 138 | + org = current_org._get_current_object() |
| 139 | + |
| 140 | + payload = None |
| 141 | + |
| 142 | + if org_settings['auth_jwt_auth_cookie_name']: |
| 143 | + jwt_token = request.cookies.get(org_settings['auth_jwt_auth_cookie_name'], None) |
| 144 | + elif org_settings['auth_jwt_auth_header_name']: |
| 145 | + jwt_token = request.headers.get(org_settings['auth_jwt_auth_header_name'], None) |
| 146 | + else: |
| 147 | + return None |
| 148 | + |
| 149 | + if jwt_token: |
| 150 | + payload, token_is_valid = jwt_auth.verify_jwt_token( |
| 151 | + jwt_token, |
| 152 | + expected_issuer=org_settings['auth_jwt_auth_issuer'], |
| 153 | + expected_audience=org_settings['auth_jwt_auth_audience'], |
| 154 | + algorithms=org_settings['auth_jwt_auth_algorithms'], |
| 155 | + public_certs_url=org_settings['auth_jwt_auth_public_certs_url'], |
| 156 | + ) |
| 157 | + if not token_is_valid: |
| 158 | + raise Unauthorized('Invalid JWT token') |
| 159 | + |
| 160 | + if not payload: |
| 161 | + return |
| 162 | + |
| 163 | + try: |
| 164 | + user = models.User.get_by_email_and_org(payload['email'], org) |
| 165 | + except models.NoResultFound: |
| 166 | + user = create_and_login_user(current_org, payload['email'], payload['email']) |
| 167 | + |
| 168 | + return user |
| 169 | + |
| 170 | + |
119 | 171 | def log_user_logged_in(app, user): |
120 | 172 | event = { |
121 | 173 | 'org_id': current_org.id, |
@@ -168,14 +220,7 @@ def setup_authentication(app): |
168 | 220 | app.register_blueprint(ldap_auth.blueprint) |
169 | 221 |
|
170 | 222 | user_logged_in.connect(log_user_logged_in) |
171 | | - |
172 | | - if settings.AUTH_TYPE == 'hmac': |
173 | | - login_manager.request_loader(hmac_load_user_from_request) |
174 | | - elif settings.AUTH_TYPE == 'api_key': |
175 | | - login_manager.request_loader(api_key_load_user_from_request) |
176 | | - else: |
177 | | - logger.warning("Unknown authentication type ({}). Using default (HMAC).".format(settings.AUTH_TYPE)) |
178 | | - login_manager.request_loader(hmac_load_user_from_request) |
| 223 | + login_manager.request_loader(request_loader) |
179 | 224 |
|
180 | 225 |
|
181 | 226 | def create_and_login_user(org, name, email, picture=None): |
|
0 commit comments