2021-10-18 03:25:39 +00:00
|
|
|
|
from urllib.parse import urlencode
|
2022-11-11 07:04:31 +00:00
|
|
|
|
|
2021-03-24 11:01:35 +00:00
|
|
|
|
from django.conf import settings
|
2023-10-18 08:09:17 +00:00
|
|
|
|
from django.contrib.auth import logout as auth_logout
|
2021-05-17 06:20:51 +00:00
|
|
|
|
from django.db.utils import IntegrityError
|
2022-11-11 07:04:31 +00:00
|
|
|
|
from django.http.request import HttpRequest
|
|
|
|
|
from django.http.response import HttpResponseRedirect
|
2023-07-24 03:52:25 +00:00
|
|
|
|
from django.utils.translation import gettext_lazy as _
|
2022-11-11 07:04:31 +00:00
|
|
|
|
from django.views import View
|
2021-05-17 06:20:51 +00:00
|
|
|
|
from rest_framework.exceptions import APIException
|
2022-11-11 07:04:31 +00:00
|
|
|
|
from rest_framework.permissions import AllowAny, IsAuthenticated
|
2021-03-24 11:01:35 +00:00
|
|
|
|
|
|
|
|
|
from authentication import errors
|
2022-07-04 03:29:39 +00:00
|
|
|
|
from authentication.const import ConfirmType
|
2022-11-11 07:04:31 +00:00
|
|
|
|
from authentication.mixins import AuthMixin
|
2022-01-12 08:33:45 +00:00
|
|
|
|
from authentication.notifications import OAuthBindMessage
|
2023-10-12 08:17:32 +00:00
|
|
|
|
from authentication.permissions import UserConfirmation
|
2022-11-11 07:04:31 +00:00
|
|
|
|
from common.sdk.im.dingtalk import URL, DingTalk
|
2023-04-28 08:41:13 +00:00
|
|
|
|
from common.utils import get_logger
|
2022-11-11 07:04:31 +00:00
|
|
|
|
from common.utils.common import get_request_ip
|
2023-11-16 03:26:26 +00:00
|
|
|
|
from common.utils.django import get_object_or_none, reverse, safe_next_url
|
2022-11-11 07:04:31 +00:00
|
|
|
|
from common.utils.random import random_string
|
2023-07-24 03:52:25 +00:00
|
|
|
|
from common.views.mixins import PermissionsMixin, UserConfirmRequiredExceptionMixin
|
2022-11-11 07:04:31 +00:00
|
|
|
|
from users.models import User
|
|
|
|
|
from users.views import UserVerifyPasswordView
|
2023-04-28 08:24:33 +00:00
|
|
|
|
from .base import BaseLoginCallbackView
|
|
|
|
|
from .mixins import METAMixin, FlashMessageMixin
|
2021-03-24 11:01:35 +00:00
|
|
|
|
|
|
|
|
|
logger = get_logger(__file__)
|
|
|
|
|
|
|
|
|
|
DINGTALK_STATE_SESSION_KEY = '_dingtalk_state'
|
|
|
|
|
|
|
|
|
|
|
2023-04-28 08:24:33 +00:00
|
|
|
|
class DingTalkBaseMixin(UserConfirmRequiredExceptionMixin, PermissionsMixin, FlashMessageMixin, View):
|
2021-05-17 06:20:51 +00:00
|
|
|
|
def dispatch(self, request, *args, **kwargs):
|
|
|
|
|
try:
|
|
|
|
|
return super().dispatch(request, *args, **kwargs)
|
|
|
|
|
except APIException as e:
|
|
|
|
|
try:
|
|
|
|
|
msg = e.detail['errmsg']
|
|
|
|
|
except Exception:
|
|
|
|
|
msg = _('DingTalk Error, Please contact your system administrator')
|
2021-10-18 03:25:39 +00:00
|
|
|
|
return self.get_failed_response(
|
2021-05-17 06:20:51 +00:00
|
|
|
|
'/',
|
|
|
|
|
_('DingTalk Error'),
|
|
|
|
|
msg
|
|
|
|
|
)
|
|
|
|
|
|
2021-03-24 11:01:35 +00:00
|
|
|
|
def verify_state(self):
|
|
|
|
|
state = self.request.GET.get('state')
|
|
|
|
|
session_state = self.request.session.get(DINGTALK_STATE_SESSION_KEY)
|
|
|
|
|
if state != session_state:
|
|
|
|
|
return False
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
def get_verify_state_failed_response(self, redirect_uri):
|
2021-10-15 02:29:03 +00:00
|
|
|
|
msg = _("The system configuration is incorrect. Please contact your administrator")
|
2021-10-20 11:45:37 +00:00
|
|
|
|
return self.get_failed_response(redirect_uri, msg, msg)
|
2021-03-24 11:01:35 +00:00
|
|
|
|
|
|
|
|
|
def get_already_bound_response(self, redirect_url):
|
|
|
|
|
msg = _('DingTalk is already bound')
|
2021-10-18 03:25:39 +00:00
|
|
|
|
response = self.get_failed_response(redirect_url, msg, msg)
|
2021-03-24 11:01:35 +00:00
|
|
|
|
return response
|
|
|
|
|
|
|
|
|
|
|
2022-03-29 05:19:13 +00:00
|
|
|
|
class DingTalkQRMixin(DingTalkBaseMixin, View):
|
|
|
|
|
|
|
|
|
|
def get_qr_url(self, redirect_uri):
|
|
|
|
|
state = random_string(16)
|
|
|
|
|
self.request.session[DINGTALK_STATE_SESSION_KEY] = state
|
|
|
|
|
|
|
|
|
|
params = {
|
2024-02-04 09:05:11 +00:00
|
|
|
|
'client_id': settings.DINGTALK_APPKEY,
|
2022-03-29 05:19:13 +00:00
|
|
|
|
'response_type': 'code',
|
2024-02-04 09:05:11 +00:00
|
|
|
|
'scope': 'openid',
|
2022-03-29 05:19:13 +00:00
|
|
|
|
'state': state,
|
|
|
|
|
'redirect_uri': redirect_uri,
|
2024-02-04 09:05:11 +00:00
|
|
|
|
'prompt': 'consent'
|
2022-03-29 05:19:13 +00:00
|
|
|
|
}
|
|
|
|
|
url = URL.QR_CONNECT + '?' + urlencode(params)
|
|
|
|
|
return url
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class DingTalkOAuthMixin(DingTalkBaseMixin, View):
|
|
|
|
|
|
|
|
|
|
def get_oauth_url(self, redirect_uri):
|
|
|
|
|
if not settings.AUTH_DINGTALK:
|
|
|
|
|
return reverse('authentication:login')
|
|
|
|
|
state = random_string(16)
|
|
|
|
|
self.request.session[DINGTALK_STATE_SESSION_KEY] = state
|
|
|
|
|
|
|
|
|
|
params = {
|
|
|
|
|
'appid': settings.DINGTALK_APPKEY,
|
|
|
|
|
'response_type': 'code',
|
|
|
|
|
'scope': 'snsapi_auth',
|
|
|
|
|
'state': state,
|
|
|
|
|
'redirect_uri': redirect_uri,
|
|
|
|
|
}
|
|
|
|
|
url = URL.OAUTH_CONNECT + '?' + urlencode(params)
|
|
|
|
|
return url
|
|
|
|
|
|
|
|
|
|
|
2021-03-24 11:01:35 +00:00
|
|
|
|
class DingTalkQRBindView(DingTalkQRMixin, View):
|
2023-10-10 09:52:52 +00:00
|
|
|
|
permission_classes = (IsAuthenticated, UserConfirmation.require(ConfirmType.RELOGIN))
|
2021-03-24 11:01:35 +00:00
|
|
|
|
|
|
|
|
|
def get(self, request: HttpRequest):
|
|
|
|
|
user = request.user
|
|
|
|
|
redirect_url = request.GET.get('redirect_url')
|
|
|
|
|
|
|
|
|
|
redirect_uri = reverse('authentication:dingtalk-qr-bind-callback', kwargs={'user_id': user.id}, external=True)
|
2021-10-18 03:25:39 +00:00
|
|
|
|
redirect_uri += '?' + urlencode({'redirect_url': redirect_url})
|
2021-03-24 11:01:35 +00:00
|
|
|
|
|
|
|
|
|
url = self.get_qr_url(redirect_uri)
|
|
|
|
|
return HttpResponseRedirect(url)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class DingTalkQRBindCallbackView(DingTalkQRMixin, View):
|
|
|
|
|
permission_classes = (IsAuthenticated,)
|
|
|
|
|
|
|
|
|
|
def get(self, request: HttpRequest, user_id):
|
|
|
|
|
code = request.GET.get('code')
|
|
|
|
|
redirect_url = request.GET.get('redirect_url')
|
|
|
|
|
|
|
|
|
|
if not self.verify_state():
|
|
|
|
|
return self.get_verify_state_failed_response(redirect_url)
|
|
|
|
|
|
|
|
|
|
user = get_object_or_none(User, id=user_id)
|
|
|
|
|
if user is None:
|
|
|
|
|
logger.error(f'DingTalkQR bind callback error, user_id invalid: user_id={user_id}')
|
|
|
|
|
msg = _('Invalid user_id')
|
2021-10-18 03:25:39 +00:00
|
|
|
|
response = self.get_failed_response(redirect_url, msg, msg)
|
2021-03-24 11:01:35 +00:00
|
|
|
|
return response
|
|
|
|
|
|
|
|
|
|
if user.dingtalk_id:
|
|
|
|
|
response = self.get_already_bound_response(redirect_url)
|
|
|
|
|
return response
|
|
|
|
|
|
|
|
|
|
dingtalk = DingTalk(
|
|
|
|
|
appid=settings.DINGTALK_APPKEY,
|
|
|
|
|
appsecret=settings.DINGTALK_APPSECRET,
|
|
|
|
|
agentid=settings.DINGTALK_AGENTID
|
|
|
|
|
)
|
2023-04-28 06:01:44 +00:00
|
|
|
|
userid, __ = dingtalk.get_user_id_by_code(code)
|
2021-03-24 11:01:35 +00:00
|
|
|
|
|
|
|
|
|
if not userid:
|
|
|
|
|
msg = _('DingTalk query user failed')
|
2021-10-18 03:25:39 +00:00
|
|
|
|
response = self.get_failed_response(redirect_url, msg, msg)
|
2021-03-24 11:01:35 +00:00
|
|
|
|
return response
|
|
|
|
|
|
2021-05-17 06:20:51 +00:00
|
|
|
|
try:
|
|
|
|
|
user.dingtalk_id = userid
|
|
|
|
|
user.save()
|
|
|
|
|
except IntegrityError as e:
|
|
|
|
|
if e.args[0] == 1062:
|
|
|
|
|
msg = _('The DingTalk is already bound to another user')
|
2021-10-18 03:25:39 +00:00
|
|
|
|
response = self.get_failed_response(redirect_url, msg, msg)
|
2021-05-17 06:20:51 +00:00
|
|
|
|
return response
|
|
|
|
|
raise e
|
2021-03-24 11:01:35 +00:00
|
|
|
|
|
2022-01-12 08:33:45 +00:00
|
|
|
|
ip = get_request_ip(request)
|
2022-01-12 08:33:45 +00:00
|
|
|
|
OAuthBindMessage(user, ip, _('DingTalk'), user_id).publish_async()
|
2021-03-24 11:01:35 +00:00
|
|
|
|
msg = _('Binding DingTalk successfully')
|
2023-10-18 08:09:17 +00:00
|
|
|
|
auth_logout(request)
|
2021-10-18 03:25:39 +00:00
|
|
|
|
response = self.get_success_response(redirect_url, msg, msg)
|
2021-03-24 11:01:35 +00:00
|
|
|
|
return response
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class DingTalkEnableStartView(UserVerifyPasswordView):
|
|
|
|
|
|
|
|
|
|
def get_success_url(self):
|
|
|
|
|
referer = self.request.META.get('HTTP_REFERER')
|
|
|
|
|
redirect_url = self.request.GET.get("redirect_url")
|
|
|
|
|
|
|
|
|
|
success_url = reverse('authentication:dingtalk-qr-bind')
|
|
|
|
|
|
2021-10-18 03:25:39 +00:00
|
|
|
|
success_url += '?' + urlencode({
|
2021-03-24 11:01:35 +00:00
|
|
|
|
'redirect_url': redirect_url or referer
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
return success_url
|
|
|
|
|
|
|
|
|
|
|
2022-05-05 05:07:48 +00:00
|
|
|
|
class DingTalkQRLoginView(DingTalkQRMixin, METAMixin, View):
|
2021-03-24 11:01:35 +00:00
|
|
|
|
permission_classes = (AllowAny,)
|
|
|
|
|
|
2023-01-16 11:02:09 +00:00
|
|
|
|
def get(self, request: HttpRequest):
|
2022-05-17 10:50:16 +00:00
|
|
|
|
redirect_url = request.GET.get('redirect_url') or reverse('index')
|
|
|
|
|
next_url = self.get_next_url_from_meta() or reverse('index')
|
2023-11-16 03:26:26 +00:00
|
|
|
|
next_url = safe_next_url(next_url, request=request)
|
2021-03-24 11:01:35 +00:00
|
|
|
|
|
|
|
|
|
redirect_uri = reverse('authentication:dingtalk-qr-login-callback', external=True)
|
2022-05-05 05:07:48 +00:00
|
|
|
|
redirect_uri += '?' + urlencode({
|
|
|
|
|
'redirect_url': redirect_url,
|
2022-05-17 10:50:16 +00:00
|
|
|
|
'next': next_url,
|
2022-05-05 05:07:48 +00:00
|
|
|
|
})
|
2021-03-24 11:01:35 +00:00
|
|
|
|
|
|
|
|
|
url = self.get_qr_url(redirect_uri)
|
|
|
|
|
return HttpResponseRedirect(url)
|
|
|
|
|
|
|
|
|
|
|
2023-04-28 08:24:33 +00:00
|
|
|
|
class DingTalkQRLoginCallbackView(DingTalkQRMixin, BaseLoginCallbackView):
|
2021-03-24 11:01:35 +00:00
|
|
|
|
permission_classes = (AllowAny,)
|
|
|
|
|
|
2023-05-08 07:36:33 +00:00
|
|
|
|
client_type_path = 'common.sdk.im.dingtalk.DingTalk'
|
|
|
|
|
client_auth_params = {
|
|
|
|
|
'appid': 'DINGTALK_APPKEY', 'appsecret': 'DINGTALK_APPSECRET',
|
|
|
|
|
'agentid': 'DINGTALK_AGENTID'
|
|
|
|
|
}
|
|
|
|
|
user_type = 'dingtalk'
|
|
|
|
|
auth_backend = 'AUTH_BACKEND_DINGTALK'
|
|
|
|
|
|
|
|
|
|
msg_client_err = _('DingTalk Error')
|
|
|
|
|
msg_user_not_bound_err = _('DingTalk is not bound')
|
|
|
|
|
msg_not_found_user_from_client_err = _('Failed to get user from DingTalk')
|
2022-03-29 05:19:13 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class DingTalkOAuthLoginView(DingTalkOAuthMixin, View):
|
|
|
|
|
permission_classes = (AllowAny,)
|
|
|
|
|
|
2023-01-16 11:02:09 +00:00
|
|
|
|
def get(self, request: HttpRequest):
|
2022-03-29 05:19:13 +00:00
|
|
|
|
redirect_url = request.GET.get('redirect_url')
|
|
|
|
|
|
|
|
|
|
redirect_uri = reverse('authentication:dingtalk-oauth-login-callback', external=True)
|
|
|
|
|
redirect_uri += '?' + urlencode({'redirect_url': redirect_url})
|
|
|
|
|
|
|
|
|
|
url = self.get_oauth_url(redirect_uri)
|
|
|
|
|
return HttpResponseRedirect(url)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class DingTalkOAuthLoginCallbackView(AuthMixin, DingTalkOAuthMixin, View):
|
|
|
|
|
permission_classes = (AllowAny,)
|
|
|
|
|
|
|
|
|
|
def get(self, request: HttpRequest):
|
|
|
|
|
code = request.GET.get('code')
|
|
|
|
|
redirect_url = request.GET.get('redirect_url')
|
|
|
|
|
login_url = reverse('authentication:login')
|
|
|
|
|
|
|
|
|
|
if not self.verify_state():
|
|
|
|
|
return self.get_verify_state_failed_response(redirect_url)
|
|
|
|
|
|
|
|
|
|
dingtalk = DingTalk(
|
|
|
|
|
appid=settings.DINGTALK_APPKEY,
|
|
|
|
|
appsecret=settings.DINGTALK_APPSECRET,
|
|
|
|
|
agentid=settings.DINGTALK_AGENTID
|
|
|
|
|
)
|
2023-04-28 06:01:44 +00:00
|
|
|
|
userid, __ = dingtalk.get_user_id_by_code(code)
|
2022-03-29 05:19:13 +00:00
|
|
|
|
if not userid:
|
|
|
|
|
# 正常流程不会出这个错误,hack 行为
|
|
|
|
|
msg = _('Failed to get user from DingTalk')
|
|
|
|
|
response = self.get_failed_response(login_url, title=msg, msg=msg)
|
|
|
|
|
return response
|
|
|
|
|
|
|
|
|
|
user = get_object_or_none(User, dingtalk_id=userid)
|
|
|
|
|
if user is None:
|
|
|
|
|
title = _('DingTalk is not bound')
|
|
|
|
|
msg = _('Please login with a password and then bind the DingTalk')
|
|
|
|
|
response = self.get_failed_response(login_url, title=title, msg=msg)
|
|
|
|
|
return response
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
self.check_oauth2_auth(user, settings.AUTH_BACKEND_DINGTALK)
|
|
|
|
|
except errors.AuthFailedError as e:
|
|
|
|
|
self.set_login_failed_mark()
|
|
|
|
|
msg = e.msg
|
|
|
|
|
response = self.get_failed_response(login_url, title=msg, msg=msg)
|
|
|
|
|
return response
|
|
|
|
|
|
2022-05-05 05:07:48 +00:00
|
|
|
|
return self.redirect_to_guard_view()
|