jumpserver/apps/authentication/views/login.py

# ~*~ coding: utf-8 ~*~
#

from __future__ import unicode_literals
import os
import datetime
from django.core.cache import cache
from django.contrib.auth import login as auth_login, logout as auth_logout
from django.http import HttpResponse
from django.shortcuts import reverse, redirect
from django.utils.decorators import method_decorator
from django.utils.translation import ugettext as _
from django.views.decorators.cache import never_cache
from django.views.decorators.csrf import csrf_protect
from django.views.decorators.debug import sensitive_post_parameters
from django.views.generic.base import TemplateView, RedirectView
from django.views.generic.edit import FormView
from django.conf import settings
from django.urls import reverse_lazy

from common.utils import get_request_ip, get_object_or_none
from users.utils import (
    redirect_user_first_login_or_index, set_tmp_user_to_cache
)
from .. import forms, mixins, errors


__all__ = [
    'UserLoginView', 'UserLogoutView',
    'UserLoginGuardView', 'UserLoginWaitConfirmView',
]


@method_decorator(sensitive_post_parameters(), name='dispatch')
@method_decorator(csrf_protect, name='dispatch')
@method_decorator(never_cache, name='dispatch')
class UserLoginView(mixins.AuthMixin, FormView):
    form_class = forms.UserLoginForm
    form_class_captcha = forms.UserLoginCaptchaForm
    key_prefix_captcha = "_LOGIN_INVALID_{}"
    redirect_field_name = 'next'

    def get_template_names(self):
        template_name = 'authentication/login.html'
        if not settings.XPACK_ENABLED:
            return template_name

        from xpack.plugins.license.models import License
        if not License.has_valid_license():
            return template_name

        template_name = 'authentication/xpack_login.html'
        return template_name

    def get(self, request, *args, **kwargs):
        if request.user.is_staff:
            return redirect(redirect_user_first_login_or_index(
                request, self.redirect_field_name)
            )
        # show jumpserver login page if request http://{JUMP-SERVER}/?admin=1
        if settings.AUTH_OPENID and not self.request.GET.get('admin', 0):
            query_string = request.GET.urlencode()
            openid_login_url = reverse_lazy("authentication:openid:openid-login")
            login_url = "{}?{}".format(openid_login_url, query_string)
            return redirect(login_url)
        request.session.set_test_cookie()
        return super().get(request, *args, **kwargs)

    def form_valid(self, form):
        if not self.request.session.test_cookie_worked():
            return HttpResponse(_("Please enable cookies and try again."))
        try:
            self.check_user_auth()
        except errors.AuthFailedError as e:
            form.add_error(None, e.msg)
            ip = self.get_request_ip()
            cache.set(self.key_prefix_captcha.format(ip), 1, 3600)
            new_form = self.form_class_captcha(data=form.data)
            new_form._errors = form.errors
            context = self.get_context_data(form=new_form)
            return self.render_to_response(context)
        return self.redirect_to_guard_view()

    def redirect_to_guard_view(self):
        guard_url = reverse('authentication:login-guard')
        args = self.request.META.get('QUERY_STRING', '')
        if args:
            guard_url = "%s?%s" % (guard_url, args)
        return redirect(guard_url)

    def get_form_class(self):
        ip = get_request_ip(self.request)
        if cache.get(self.key_prefix_captcha.format(ip)):
            return self.form_class_captcha
        else:
            return self.form_class

    def get_context_data(self, **kwargs):
        context = {
            'demo_mode': os.environ.get("DEMO_MODE"),
            'AUTH_OPENID': settings.AUTH_OPENID,
        }
        kwargs.update(context)
        return super().get_context_data(**kwargs)


class UserLoginGuardView(mixins.AuthMixin, RedirectView):
    redirect_field_name = 'next'
    login_url = reverse_lazy('authentication:login')
    login_otp_url = reverse_lazy('authentication:login-otp')
    login_confirm_url = reverse_lazy('authentication:login-wait-confirm')

    def format_redirect_url(self, url):
        args = self.request.META.get('QUERY_STRING', '')
        if args and self.query_string:
            url = "%s?%s" % (url, args)
        return url

    def get_redirect_url(self, *args, **kwargs):
        try:
            user = self.check_user_auth_if_need()
            self.check_user_mfa_if_need(user)
            self.check_user_login_confirm_if_need(user)
        except errors.CredentialError:
            return self.format_redirect_url(self.login_url)
        except errors.MFARequiredError:
            return self.format_redirect_url(self.login_otp_url)
        except errors.LoginConfirmBaseError:
            return self.format_redirect_url(self.login_confirm_url)
        else:
            # 启用但是没有设置otp, 排除radius
            if user.mfa_enabled_but_not_set():
                # 1,2,mfa_setting & F
                set_tmp_user_to_cache(self.request, user)
                return reverse('users:user-otp-enable-authentication')
            auth_login(self.request, user)
            self.send_auth_signal(success=True, user=user)
            self.clear_auth_mark()
            url = redirect_user_first_login_or_index(
                self.request, self.redirect_field_name
            )
            return url


class UserLoginWaitConfirmView(TemplateView):
    template_name = 'authentication/login_wait_confirm.html'

    def get_context_data(self, **kwargs):
        from tickets.models import Ticket
        ticket_id = self.request.session.get("auth_ticket_id")
        if not ticket_id:
            ticket = None
        else:
            ticket = get_object_or_none(Ticket, pk=ticket_id)
        context = super().get_context_data(**kwargs)
        if ticket:
            timestamp_created = datetime.datetime.timestamp(ticket.date_created)
            ticket_detail_url = reverse('tickets:ticket-detail', kwargs={'pk': ticket_id})
            msg = _("""Wait for <b>{}</b> confirm, You also can copy link to her/him <br/>
                  Don't close this page""").format(ticket.assignees_display)
        else:
            timestamp_created = 0
            ticket_detail_url = ''
            msg = _("No ticket found")
        context.update({
            "msg": msg,
            "timestamp": timestamp_created,
            "ticket_detail_url": ticket_detail_url
        })
        return context


@method_decorator(never_cache, name='dispatch')
class UserLogoutView(TemplateView):
    template_name = 'flash_message_standalone.html'

    def get(self, request, *args, **kwargs):
        auth_logout(request)
        next_uri = request.COOKIES.get("next")
        if next_uri:
            return redirect(next_uri)
        response = super().get(request, *args, **kwargs)
        return response

    def get_context_data(self, **kwargs):
        context = {
            'title': _('Logout success'),
            'messages': _('Logout success, return login page'),
            'interval': 1,
            'redirect_url': reverse('authentication:login'),
            'auto_redirect': True,
        }
        kwargs.update(context)
        return super().get_context_data(**kwargs)
[Update] Stash 2019-02-27 00:45:00 +00:00			`# ~~ coding: utf-8 ~~`
[Update] users认证逻辑迁移到authentication中 2019-02-27 12:55:28 +00:00			`#`
[Update] Stash 2019-02-27 00:45:00 +00:00
			`from __future__ import unicode_literals`
			`import os`
[Update] 基本完成登录二次审核 2019-10-30 05:18:11 +00:00			`import datetime`
[Update] Stash 2019-02-27 00:45:00 +00:00			`from django.core.cache import cache`
			`from django.contrib.auth import login as auth_login, logout as auth_logout`
[Update] users认证逻辑迁移到authentication中 2019-02-27 12:55:28 +00:00			`from django.http import HttpResponse`
[Update] Stash 2019-02-27 00:45:00 +00:00			`from django.shortcuts import reverse, redirect`
			`from django.utils.decorators import method_decorator`
			`from django.utils.translation import ugettext as _`
			`from django.views.decorators.cache import never_cache`
			`from django.views.decorators.csrf import csrf_protect`
			`from django.views.decorators.debug import sensitive_post_parameters`
[Update] 基本完成登录二次审核 2019-10-30 05:18:11 +00:00			`from django.views.generic.base import TemplateView, RedirectView`
[Update] Stash 2019-02-27 00:45:00 +00:00			`from django.views.generic.edit import FormView`
			`from django.conf import settings`
[Update] 基本完成登录逻辑 2019-11-05 10:46:29 +00:00			`from django.urls import reverse_lazy`
[Update] Stash 2019-02-27 00:45:00 +00:00
[Update] 基本完成登录二次审核 2019-10-30 05:18:11 +00:00			`from common.utils import get_request_ip, get_object_or_none`
[Update] users认证逻辑迁移到authentication中 2019-02-27 12:55:28 +00:00			`from users.utils import (`
[Update] 修改确认用户认证成功和绑定MFA的前后逻辑（解决绕过绑定MFA的漏洞；解决管理员重置用户MFA后自动退出的问题） 2020-01-03 07:26:38 +00:00			`redirect_user_first_login_or_index, set_tmp_user_to_cache`
[Update] users认证逻辑迁移到authentication中 2019-02-27 12:55:28 +00:00			`)`
[Update] 基本完成登录逻辑 2019-11-05 10:46:29 +00:00			`from .. import forms, mixins, errors`
[Update] Stash 2019-02-27 00:45:00 +00:00

			`__all__ = [`
[Update] 基本完成登录逻辑 2019-11-05 10:46:29 +00:00			`'UserLoginView', 'UserLogoutView',`
[Update] 基本完成登录二次审核 2019-10-30 05:18:11 +00:00			`'UserLoginGuardView', 'UserLoginWaitConfirmView',`
[Update] Stash 2019-02-27 00:45:00 +00:00			`]`


			`@method_decorator(sensitive_post_parameters(), name='dispatch')`
			`@method_decorator(csrf_protect, name='dispatch')`
			`@method_decorator(never_cache, name='dispatch')`
[Update] 基本完成登录逻辑 2019-11-05 10:46:29 +00:00			`class UserLoginView(mixins.AuthMixin, FormView):`
[Update] Stash 2019-02-27 00:45:00 +00:00			`form_class = forms.UserLoginForm`
			`form_class_captcha = forms.UserLoginCaptchaForm`
			`key_prefix_captcha = "_LOGIN_INVALID_{}"`
[Update] 基本完成登录逻辑 2019-11-05 10:46:29 +00:00			`redirect_field_name = 'next'`
[Update] Stash 2019-02-27 00:45:00 +00:00
			`def get_template_names(self):`
[Update] 统一可更改的interface 2019-03-27 04:20:43 +00:00			`template_name = 'authentication/login.html'`
[Update] Stash 2019-02-27 00:45:00 +00:00			`if not settings.XPACK_ENABLED:`
			`return template_name`

			`from xpack.plugins.license.models import License`
			`if not License.has_valid_license():`
			`return template_name`

[Update] 修改登录路基 2019-10-25 11:20:28 +00:00			`template_name = 'authentication/xpack_login.html'`
[Update] Stash 2019-02-27 00:45:00 +00:00			`return template_name`

			`def get(self, request, args, *kwargs):`
			`if request.user.is_staff:`
			`return redirect(redirect_user_first_login_or_index(`
			`request, self.redirect_field_name)`
			`)`
[Update] 修改预留/auth/login/页面方式(admin=1)；解决luna页面刷新不跳转openid认证的问题 (#2634) 2019-04-25 10:55:48 +00:00			`# show jumpserver login page if request http://{JUMP-SERVER}/?admin=1`
			`if settings.AUTH_OPENID and not self.request.GET.get('admin', 0):`
			`query_string = request.GET.urlencode()`
Config (#3502) * [Update] 修改config * [Update] 移动存储设置到到terminal中 * [Update] 修改permission 查看 * [Update] pre merge * [Update] 录像存储 * [Update] 命令存储 * [Update] 添加存储测试可连接性 * [Update] 修改 meta 值的 key 为大写 * [Update] 修改 Terminal 相关 Storage 配置 * [Update] 删除之前获取录像/命令存储的代码 * [Update] 修改导入失败 * [Update] 迁移文件添加default存储 * [Update] 删除之前代码，添加help_text信息 * [Update] 删除之前代码 * [Update] 删除之前代码 * [Update] 抽象命令/录像存储 APIView * [Update] 抽象命令/录像存储 APIView 1 * [Update] 抽象命令/录像存储 DictField * [Update] 抽象命令/录像存储列表页面 * [Update] 修复CustomDictField的bug * [Update] RemoteApp 页面添加 hidden * [Update] 用户页面添加用户关联授权 * [Update] 修改存储测试可连接性 target * [Update] 修改配置 * [Update] 修改存储前端 Form 渲染逻辑 * [Update] 修改存储细节 * [Update] 统一存储类型到 const 文件 * [Update] 修改迁移文件及Model，创建默认存储 * [Update] 修改迁移文件及Model初始化默认数据 * [Update] 修改迁移文件 * [Update] 修改迁移文件 * [Update] 修改迁移文件 * [Update] 修改迁移文件 * [Update] 修改迁移文件 * [Update] 修改迁移文件 * [Update] 修改迁移文件 * [Update] 限制删除默认存储配置，只允许创建扩展的存储类型 * [Update] 修改ip字段长度 * [Update] 修改ip字段长度 * [Update] 修改一些css * [Update] 修改关联 * [Update] 添加操作日志定时清理 * [Update] 修改记录syslog的instance encoder * [Update] 忽略登录产生的操作日志 * [Update] 限制更新存储时不覆盖原有AK SK 等字段 * [Update] 修改迁移文件添加comment字段 * [Update] 修改迁移文件 * [Update] 添加 comment 字段 * [Update] 修改默认存储no -> null * [Update] 修改细节 * [Update] 更新翻译（存储配置 * [Update] 修改定时任务注册，修改系统用户资产、节点关系api * [Update] 添加监控磁盘任务 * [Update] 修改session * [Update] 拆分serializer * [Update] 还原setting原来的manager 2019-12-05 07:09:25 +00:00			`openid_login_url = reverse_lazy("authentication:openid:openid-login")`
			`login_url = "{}?{}".format(openid_login_url, query_string)`
[Update] 修改预留/auth/login/页面方式(admin=1)；解决luna页面刷新不跳转openid认证的问题 (#2634) 2019-04-25 10:55:48 +00:00			`return redirect(login_url)`
[Update] Stash 2019-02-27 00:45:00 +00:00			`request.session.set_test_cookie()`
			`return super().get(request, args, *kwargs)`

			`def form_valid(self, form):`
			`if not self.request.session.test_cookie_worked():`
			`return HttpResponse(_("Please enable cookies and try again."))`
[Update] 基本完成登录逻辑 2019-11-05 10:46:29 +00:00			`try:`
			`self.check_user_auth()`
			`except errors.AuthFailedError as e:`
			`form.add_error(None, e.msg)`
			`ip = self.get_request_ip()`
			`cache.set(self.key_prefix_captcha.format(ip), 1, 3600)`
[Update] 修改登录验证 2019-11-11 02:58:11 +00:00			`new_form = self.form_class_captcha(data=form.data)`
			`new_form._errors = form.errors`
			`context = self.get_context_data(form=new_form)`
[Update] 基本完成登录逻辑 2019-11-05 10:46:29 +00:00			`return self.render_to_response(context)`
[Update] 基本完成登录二次审核 2019-10-30 05:18:11 +00:00			`return self.redirect_to_guard_view()`
[Update] Stash 2019-02-27 00:45:00 +00:00
[Update] 基本完成登录逻辑 2019-11-05 10:46:29 +00:00			`def redirect_to_guard_view(self):`
			`guard_url = reverse('authentication:login-guard')`
			`args = self.request.META.get('QUERY_STRING', '')`
[Update] 修改bug 2019-11-06 06:40:41 +00:00			`if args:`
[Update] 基本完成登录逻辑 2019-11-05 10:46:29 +00:00			`guard_url = "%s?%s" % (guard_url, args)`
			`return redirect(guard_url)`
[Update] 修改登录路基 2019-10-25 11:20:28 +00:00
[Update] Stash 2019-02-27 00:45:00 +00:00			`def get_form_class(self):`
			`ip = get_request_ip(self.request)`
			`if cache.get(self.key_prefix_captcha.format(ip)):`
			`return self.form_class_captcha`
			`else:`
			`return self.form_class`

			`def get_context_data(self, **kwargs):`
			`context = {`
			`'demo_mode': os.environ.get("DEMO_MODE"),`
			`'AUTH_OPENID': settings.AUTH_OPENID,`
			`}`
			`kwargs.update(context)`
			`return super().get_context_data(**kwargs)`


[Update] 基本完成登录逻辑 2019-11-05 10:46:29 +00:00			`class UserLoginGuardView(mixins.AuthMixin, RedirectView):`
[Update] 修改登录路基 2019-10-25 11:20:28 +00:00			`redirect_field_name = 'next'`
[Update] 基本完成登录逻辑 2019-11-05 10:46:29 +00:00			`login_url = reverse_lazy('authentication:login')`
			`login_otp_url = reverse_lazy('authentication:login-otp')`
			`login_confirm_url = reverse_lazy('authentication:login-wait-confirm')`

			`def format_redirect_url(self, url):`
			`args = self.request.META.get('QUERY_STRING', '')`
			`if args and self.query_string:`
			`url = "%s?%s" % (url, args)`
			`return url`
[Update] 修改登录路基 2019-10-25 11:20:28 +00:00
			`def get_redirect_url(self, args, *kwargs):`
[Update] 修改tickets 2019-11-08 12:17:25 +00:00			`try:`
			`user = self.check_user_auth_if_need()`
			`self.check_user_mfa_if_need(user)`
			`self.check_user_login_confirm_if_need(user)`
			`except errors.CredentialError:`
[Update] 基本完成登录逻辑 2019-11-05 10:46:29 +00:00			`return self.format_redirect_url(self.login_url)`
[Update] 修改tickets 2019-11-08 12:17:25 +00:00			`except errors.MFARequiredError:`
[Update] 基本完成登录逻辑 2019-11-05 10:46:29 +00:00			`return self.format_redirect_url(self.login_otp_url)`
[Update] 修改tickets 2019-11-08 12:17:25 +00:00			`except errors.LoginConfirmBaseError:`
			`return self.format_redirect_url(self.login_confirm_url)`
[Update] Stash 2019-02-27 00:45:00 +00:00			`else:`
[Update] 修改mfa 2019-11-18 08:30:26 +00:00			`# 启用但是没有设置otp, 排除radius`
			`if user.mfa_enabled_but_not_set():`
[Update] 修改tickets 2019-11-08 12:17:25 +00:00			`# 1,2,mfa_setting & F`
[Update] 修改确认用户认证成功和绑定MFA的前后逻辑（解决绕过绑定MFA的漏洞；解决管理员重置用户MFA后自动退出的问题） 2020-01-03 07:26:38 +00:00			`set_tmp_user_to_cache(self.request, user)`
[Update] 修改tickets 2019-11-08 12:17:25 +00:00			`return reverse('users:user-otp-enable-authentication')`
[Update] 修改确认用户认证成功和绑定MFA的前后逻辑（解决绕过绑定MFA的漏洞；解决管理员重置用户MFA后自动退出的问题） 2020-01-03 07:26:38 +00:00			`auth_login(self.request, user)`
			`self.send_auth_signal(success=True, user=user)`
			`self.clear_auth_mark()`
[Update] 修改tickets 2019-11-08 12:17:25 +00:00			`url = redirect_user_first_login_or_index(`
			`self.request, self.redirect_field_name`
[Update] Stash 2019-02-27 00:45:00 +00:00			`)`
[Update] 修改tickets 2019-11-08 12:17:25 +00:00			`return url`
[Update] Stash 2019-02-27 00:45:00 +00:00

[Update] 修改登录路基 2019-10-25 11:20:28 +00:00			`class UserLoginWaitConfirmView(TemplateView):`
			`template_name = 'authentication/login_wait_confirm.html'`

			`def get_context_data(self, **kwargs):`
[Update] 修改工单 2019-11-15 10:55:35 +00:00			`from tickets.models import Ticket`
[Update] Rename app 2019-11-07 10:06:58 +00:00			`ticket_id = self.request.session.get("auth_ticket_id")`
			`if not ticket_id:`
			`ticket = None`
[Update] 基本完成登录二次审核 2019-10-30 05:18:11 +00:00			`else:`
[Update] 修改工单 2019-11-15 10:55:35 +00:00			`ticket = get_object_or_none(Ticket, pk=ticket_id)`
[Update] 基本完成登录二次审核 2019-10-30 05:18:11 +00:00			`context = super().get_context_data(**kwargs)`
[Update] Rename app 2019-11-07 10:06:58 +00:00			`if ticket:`
			`timestamp_created = datetime.datetime.timestamp(ticket.date_created)`
[Update] 修改工单 2019-11-15 10:55:35 +00:00			`ticket_detail_url = reverse('tickets:ticket-detail', kwargs={'pk': ticket_id})`
[Update] 基本完成登录二次审核 2019-10-30 05:18:11 +00:00			`msg = _("""Wait for <b>{}</b> confirm, You also can copy link to her/him <br/>`
[Update] Rename app 2019-11-07 10:06:58 +00:00			`Don't close this page""").format(ticket.assignees_display)`
[Update] 基本完成登录二次审核 2019-10-30 05:18:11 +00:00			`else:`
			`timestamp_created = 0`
[Update] Rename app 2019-11-07 10:06:58 +00:00			`ticket_detail_url = ''`
			`msg = _("No ticket found")`
[Update] 基本完成登录二次审核 2019-10-30 05:18:11 +00:00			`context.update({`
			`"msg": msg,`
			`"timestamp": timestamp_created,`
[Update] Rename app 2019-11-07 10:06:58 +00:00			`"ticket_detail_url": ticket_detail_url`
[Update] 基本完成登录二次审核 2019-10-30 05:18:11 +00:00			`})`
			`return context`
[Update] 修改登录路基 2019-10-25 11:20:28 +00:00

[Update] Stash 2019-02-27 00:45:00 +00:00			`@method_decorator(never_cache, name='dispatch')`
			`class UserLogoutView(TemplateView):`
			`template_name = 'flash_message_standalone.html'`

			`def get(self, request, args, *kwargs):`
			`auth_logout(request)`
			`next_uri = request.COOKIES.get("next")`
			`if next_uri:`
			`return redirect(next_uri)`
			`response = super().get(request, args, *kwargs)`
			`return response`

			`def get_context_data(self, **kwargs):`
			`context = {`
			`'title': _('Logout success'),`
			`'messages': _('Logout success, return login page'),`
			`'interval': 1,`
[Update] users认证逻辑迁移到authentication中 2019-02-27 12:55:28 +00:00			`'redirect_url': reverse('authentication:login'),`
[Update] Stash 2019-02-27 00:45:00 +00:00			`'auto_redirect': True,`
			`}`
			`kwargs.update(context)`
			`return super().get_context_data(**kwargs)`