SSO / REMOTE_USER support

(imported from commit 4f4fad7af5d3c6099cac95d7708338c182626d72)
2026-06-24 21:08:25 +08:00 · 2013-11-04 17:16:46 -05:00 · 2013-11-04 17:16:46 -05:00 · c11b65590b
commit c11b65590b
parent b4ad8d2a5a
7 changed files with 55 additions and 4 deletions
--- a/zerver/models.py
+++ b/zerver/models.py
@ -141,6 +141,11 @@ def email_to_username(email):
 def email_to_domain(email):
    return email.split("@")[-1].lower()

+def remote_user_to_email(remote_user):
+    if settings.SSO_APPEND_DOMAIN is not None:
+        remote_user += "@" + SSO_APPEND_DOMAIN
+    return remote_user
+
 class RealmEmoji(models.Model):
    realm = models.ForeignKey(Realm)
    name = models.TextField()
--- a/zerver/views/init.py
+++ b/zerver/views/init.py
@ -472,6 +472,21 @@ def maybe_send_to_registration(request, email, full_name=''):
    else:
        return render_to_response('zerver/accounts_home.html', {'form': form})

+def remote_user_sso(request):
+    try:
+        remote_user = request.META["REMOTE_USER"]
+    except KeyError as e:
+        raise JsonableError("No REMOTE_USER set.")
+
+    user = authenticate(remote_user=remote_user)
+
+    if user is None:
+        # Since execution has reached here, REMOTE_USER is defined but no
+        # user account exists. Send them over to the PreregistrationUser flow.
+        return maybe_send_to_registration(request, remote_user_to_email(user))
+    else:
+        return HttpResponseRedirect(reverse('zerver.views.accounts_home'))
+
 def handle_openid_errors(request, issue, openid_response=None):
    if issue == "Unknown user":
        if openid_response is not None and openid_response.status == openid_SUCCESS:
--- a/zproject/backends.py
+++ b/zproject/backends.py
@ -1,5 +1,8 @@
+from __future__ import absolute_import
+
+from django.contrib.auth.backends import RemoteUserBackend
 from zerver.models import UserProfile, get_user_profile_by_id, \
-    get_user_profile_by_email
+    get_user_profile_by_email, remote_user_to_email

 from openid.consumer.consumer import SUCCESS

@ -53,3 +56,16 @@ class GoogleBackend(ZulipAuthMixin):

        return user_profile

+class ZulipRemoteUserBackend(RemoteUserBackend):
+    create_unknown_user = False
+
+    def authenticate(self, remote_user):
+        if not remote_user:
+            return
+
+        email = remote_user_to_email(remote_user)
+
+        try:
+            return get_user_profile_by_email(email)
+        except UserProfile.DoesNotExist:
+            return None
--- a/zproject/local_settings.py
+++ b/zproject/local_settings.py
@ -149,6 +149,11 @@ EMAIL_GATEWAY_IMAP_FOLDER = "INBOX"
 # must be delivered to the Inbox of the EMAIL_GATEWAY_LOGIN account above
 EMAIL_GATEWAY_PATTERN = "%s@streams.zulip.com"

+SSO_APPEND_DOMAIN = None
+
+AUTHENTICATION_BACKENDS = ('zproject.backends.EmailAuthBackend',
+                           'zproject.backends.GoogleBackend')
+

 DROPBOX_APP_KEY = "xxxxxxxxxxxxxxx"

--- a/zproject/local_settings_template.py
+++ b/zproject/local_settings_template.py
@ -37,6 +37,17 @@ TWITTER_CONSUMER_SECRET = ''
 TWITTER_ACCESS_TOKEN_KEY = ''
 TWITTER_ACCESS_TOKEN_SECRET = ''

+# When using SSO: If REMOTE_USER only provides a username, append this domain
+# to the returned value.
+SSO_APPEND_DOMAIN = None
+
+# Enable at least one of the following authentication backends.
+AUTHENTICATION_BACKENDS = (
+#                           'zproject.backends.EmailAuthBackend', # Email and password
+#                           'zerver.views.remote_user_sso', # Local SSO
+#                           'zproject.backends.GoogleBackend', # Google Apps
+    )
+
 # The following keys are automatically generated during the install process
 # PLEASE DO NOT EDIT THEM
 CAMO_KEY = ''
--- a/zproject/settings.py
+++ b/zproject/settings.py
@ -152,9 +152,7 @@ MIDDLEWARE_CLASSES = (
    'django.contrib.auth.middleware.AuthenticationMiddleware',
 )

-AUTHENTICATION_BACKENDS = ('zproject.backends.EmailAuthBackend',
-                           'zproject.backends.GoogleBackend',
-                           'guardian.backends.ObjectPermissionBackend')
+AUTHENTICATION_BACKENDS += ('guardian.backends.ObjectPermissionBackend',)
 ANONYMOUS_USER_ID = None

 AUTH_USER_MODEL = "zerver.UserProfile"
--- a/zproject/urls.py
+++ b/zproject/urls.py
@ -18,6 +18,7 @@ urlpatterns = patterns('',
    url(r'^accounts/login/openid/$', 'django_openid_auth.views.login_begin', name='openid-login'),
    url(r'^accounts/login/openid/done/$', 'zerver.views.process_openid_login', name='openid-complete'),
    url(r'^accounts/login/openid/done/$', 'django_openid_auth.views.login_complete', name='openid-complete'),
+    url(r'^accounts/login/sso/$', 'zerver.views.remote_user_sso'),
    # We have two entries for accounts/login to allow reverses on the Django
    # view we're wrapping to continue to function.
    url(r'^accounts/login/',  'zerver.views.login_page',         {'template_name': 'zerver/login.html'}),