highperfocused/danswer
1
0
Fork 0
mirror of https://github.com/danswer-ai/danswer.git synced 2025-06-12 17:10:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix bug with saml validation (#4522)

Browse Source 
* fix bug with saml validation

* k
This commit is contained in:
pablonyx 2025-04-16 12:35:58 -07:00 committed by GitHub
parent 7e7b6e08ff
commit 0d12e96362
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 41 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
backend/ee/onyx/server/saml.py
View File

@ -1,5 +1,6 @@
import contextlib import contextlib
import secrets import secrets
import string
from typing import Any from typing import Any
from fastapi import APIRouter from fastapi import APIRouter
@ -9,7 +10,6 @@ from fastapi import Request
from fastapi import Response from fastapi import Response
from fastapi import status from fastapi import status
from fastapi_users import exceptions from fastapi_users import exceptions
from fastapi_users.password import PasswordHelper
from onelogin.saml2.auth import OneLogin_Saml2_Auth # type: ignore from onelogin.saml2.auth import OneLogin_Saml2_Auth # type: ignore
from pydantic import BaseModel from pydantic import BaseModel
from sqlalchemy.ext.asyncio import AsyncSession from sqlalchemy.ext.asyncio import AsyncSession
@ -38,6 +38,16 @@ router = APIRouter(prefix="/auth/saml")
async def upsert_saml_user(email: str) -> User: async def upsert_saml_user(email: str) -> User:
"""
Creates or updates a user account for SAML authentication.
For new users or users with non-web-login roles:
1. Generates a secure random password that meets validation criteria
2. Creates the user with appropriate role and verified status
SAML users never use this password directly as they authenticate via their
Identity Provider, but we need a valid password to satisfy system requirements.
"""
logger.debug(f"Attempting to upsert SAML user with email: {email}") logger.debug(f"Attempting to upsert SAML user with email: {email}")
get_async_session_context = contextlib.asynccontextmanager( get_async_session_context = contextlib.asynccontextmanager(
get_async_session get_async_session
@ -60,15 +70,41 @@ async def upsert_saml_user(email: str) -> User:
user_count = await get_user_count() user_count = await get_user_count()
role = UserRole.ADMIN if user_count == 0 else UserRole.BASIC role = UserRole.ADMIN if user_count == 0 else UserRole.BASIC
fastapi_users_pw_helper = PasswordHelper() # Generate a secure random password meeting validation requirements
password = fastapi_users_pw_helper.generate() # We use a secure random password since we never need to know what it is
hashed_pass = fastapi_users_pw_helper.hash(password) # (SAML users authenticate via their IdP)
secure_random_password = "".join(
[
# Ensure minimum requirements are met
secrets.choice(
string.ascii_uppercase
), # at least one uppercase
secrets.choice(
string.ascii_lowercase
), # at least one lowercase
secrets.choice(string.digits), # at least one digit
secrets.choice(
"!@#$%^&*()-_=+[]{}|;:,.<>?"
), # at least one special
# Fill remaining length with random chars (mix of all types)
"".join(
secrets.choice(
string.ascii_letters
+ string.digits
+ "!@#$%^&*()-_=+[]{}|;:,.<>?"
)
for _ in range(12)
),
]
)
# Create the user with SAML-appropriate settings
user = await user_manager.create( user = await user_manager.create(
UserCreate( UserCreate(
email=email, email=email,
password=hashed_pass, password=secure_random_password, # Pass raw password, not hash
role=role, role=role,
is_verified=True, # SAML users are pre-verified by their IdP
) )
) )