From 86faa7eca0fceaae3ec9588b6972beb37112a2d4 Mon Sep 17 00:00:00 2001 From: "C. Weaver" Date: Mon, 23 Aug 2021 17:16:59 -0400 Subject: [PATCH] Tell the user why a log-in attmept failed. If relevant, suggest that the user create an account. Add support for setting the account creation URL. --- scimma_admin/hopskotch_auth/auth.py | 30 ++++++++++++------- .../templates/hopskotch_auth/login.html | 11 ++++--- .../hopskotch_auth/login_failure.html | 6 ++++ scimma_admin/hopskotch_auth/views.py | 10 +++++-- scimma_admin/scimma_admin/settings.py | 3 ++ 5 files changed, 43 insertions(+), 17 deletions(-) diff --git a/scimma_admin/hopskotch_auth/auth.py b/scimma_admin/hopskotch_auth/auth.py index d3e8a80..73bf725 100644 --- a/scimma_admin/hopskotch_auth/auth.py +++ b/scimma_admin/hopskotch_auth/auth.py @@ -30,30 +30,38 @@ def get_username(self, claims): def verify_claims(self, claims): logger.info(f"all claims: {claims}") - if "is_member_of" not in claims: + + def failWithError(user_msg, log_msg): log_event_id = secrets.token_hex(8) - msg = f"Your account is missing LDAP claims. Are you sure you used the account you use for SCIMMA? Error ID: {log_event_id}" - logger.error(f"account is missing LDAP claims, error_id={log_event_id}, claims={claims}") - raise PermissionDenied(msg) + user_msg += f" Error ID: {log_event_id}" + log_msg += f", error_id={log_event_id}" + logger.error(log_msg) + self.request.session["login_failure_reason"] = user_msg + raise PermissionDenied(user_msg) + + if "is_member_of" not in claims or "vo_person_id" not in claims: + failWithError("Your identity is missing LDAP claims. " + "Are you sure you used the account you use for SCIMMA?", + f"account is missing LDAP claims, claims={claims}" + ) for group in [self.kafka_user_auth_group]: if not is_member_of(claims, group): name = claims.get('vo_display_name', 'Unknown') id = claims.get('vo_person_id', 'Unknown') email = claims.get('email', 'Unknown') - msg = f"User vo_display_name={name}, vo_person_id={id}, email={email} is not in {group}, but requested access" - logger.error(msg) - raise NotInKafkaUsers(msg) + failWithError(f"Your account is not a member of the {group} group " + "and so is not authorized to access Hopskotch", + f"User vo_display_name={name}, vo_person_id={id}, " + "email={email} is not in {group}, but requested access") if "email" in claims: return True if "email_list" in claims and len(claims.get("email_list", [])) > 0: return True - log_event_id = secrets.token_hex(8) - msg = f"Your account is missing an email claim. Error ID: {log_event_id}" - logger.error(f"account is missing LDAP email claims, error_id={log_event_id}, claims={claims}") - raise PermissionDenied(msg) + failWithError("Your account is missing an email claim.", + f"account is missing LDAP email claims, claims={claims}") def create_user(self, claims): if "email" in claims: diff --git a/scimma_admin/hopskotch_auth/templates/hopskotch_auth/login.html b/scimma_admin/hopskotch_auth/templates/hopskotch_auth/login.html index c51aed3..ae97d34 100644 --- a/scimma_admin/hopskotch_auth/templates/hopskotch_auth/login.html +++ b/scimma_admin/hopskotch_auth/templates/hopskotch_auth/login.html @@ -8,11 +8,14 @@

SCiMMA Auth

Login + {% if signup_url %}

If you do not yet have an account, click - here - to create one. You should be able to sign up with your institutional single sign-on + here to create one. +

You should be able to sign up with your institutional single sign-on credentials, or with another identity provider such as - http://orcid.org. If using ORCID, please ensure that your - privacy settings allow your email address to be shared with 'trusted parties'. + http://orcid.org. +

If using ORCID, please ensure that your privacy settings allow your email + address to be shared with 'trusted parties'. + {% endif %} diff --git a/scimma_admin/hopskotch_auth/templates/hopskotch_auth/login_failure.html b/scimma_admin/hopskotch_auth/templates/hopskotch_auth/login_failure.html index 14457e2..63bfa0e 100644 --- a/scimma_admin/hopskotch_auth/templates/hopskotch_auth/login_failure.html +++ b/scimma_admin/hopskotch_auth/templates/hopskotch_auth/login_failure.html @@ -2,5 +2,11 @@ {% block page-body %}

Login Failure

+ {% if reason %} +

Reason: {{ reason }}

+ {% endif %} + {% if signup_url %} +

If you have not previously signed up for an account, you can do so here.

+ {% endif %} Login {% endblock %} diff --git a/scimma_admin/hopskotch_auth/views.py b/scimma_admin/hopskotch_auth/views.py index 13ce58e..893189d 100644 --- a/scimma_admin/hopskotch_auth/views.py +++ b/scimma_admin/hopskotch_auth/views.py @@ -52,7 +52,8 @@ def index(request): def login(request): if request.user.is_authenticated: return redirect(settings.LOGIN_REDIRECT_URL) - return render(request, 'hopskotch_auth/login.html',) + return render(request, 'hopskotch_auth/login.html', + {"signup_url":settings.USER_SIGNUP_URL}) def logout(request): @@ -60,7 +61,12 @@ def logout(request): def login_failure(request): - return render(request, 'hopskotch_auth/login_failure.html') + if "login_failure_reason" in request.session: + reason = request.session["login_failure_reason"] + else: + reason = None + return render(request, 'hopskotch_auth/login_failure.html', + {"reason":reason, "signup_url":settings.USER_SIGNUP_URL}) @require_POST diff --git a/scimma_admin/scimma_admin/settings.py b/scimma_admin/scimma_admin/settings.py index e386061..f0ae267 100644 --- a/scimma_admin/scimma_admin/settings.py +++ b/scimma_admin/scimma_admin/settings.py @@ -249,6 +249,9 @@ def middleware(request): KAFKA_USER_AUTH_GROUP = os.environ.get("KAFKA_USER_AUTH_GROUP", default="kafkaUsers") +# This URL will be shown to users as the place they should go to create accounts +USER_SIGNUP_URL = os.environ.get("USER_SIGNUP_URL", default=None) + try: from local_settings import * except ImportError: