jumpserver/apps/authentication/mixins.py

# -*- coding: utf-8 -*-
#
import inspect
from urllib.parse import urlencode
from functools import partial
import time

from django.core.cache import cache
from django.conf import settings
from django.contrib import auth
from django.utils.translation import ugettext as _
from django.contrib.auth import (
    BACKEND_SESSION_KEY, _get_backends,
    PermissionDenied, user_login_failed, _clean_credentials
)
from django.shortcuts import reverse, redirect
from django.views.generic.edit import FormView

from common.utils import get_object_or_none, get_request_ip, get_logger, bulk_get, FlashMessageUtil
from users.models import User, MFAType
from users.utils import LoginBlockUtil, MFABlockUtils
from . import errors
from .utils import rsa_decrypt, gen_key_pair
from .signals import post_auth_success, post_auth_failed
from .const import RSA_PRIVATE_KEY, RSA_PUBLIC_KEY

logger = get_logger(__name__)


def check_backend_can_auth(username, backend_path, allowed_auth_backends):
    if allowed_auth_backends is not None and backend_path not in allowed_auth_backends:
        logger.debug('Skip user auth backend: {}, {} not in'.format(
                username, backend_path, ','.join(allowed_auth_backends)
            )
        )
        return False
    return True


def authenticate(request=None, **credentials):
    """
    If the given credentials are valid, return a User object.
    """
    username = credentials.get('username')
    allowed_auth_backends = User.get_user_allowed_auth_backends(username)

    for backend, backend_path in _get_backends(return_tuples=True):
        # 预先检查，不浪费认证时间
        if not check_backend_can_auth(username, backend_path, allowed_auth_backends):
            continue

        backend_signature = inspect.signature(backend.authenticate)
        try:
            backend_signature.bind(request, **credentials)
        except TypeError:
            # This backend doesn't accept these credentials as arguments. Try the next one.
            continue
        try:
            user = backend.authenticate(request, **credentials)
        except PermissionDenied:
            # This backend says to stop in our tracks - this user should not be allowed in at all.
            break
        if user is None:
            continue
        # 如果是 None, 证明没有检查过, 需要再次检查
        if allowed_auth_backends is None:
            # 有些 authentication 参数中不带 username, 之后还要再检查
            allowed_auth_backends = user.get_allowed_auth_backends()
            if not check_backend_can_auth(user.username, backend_path, allowed_auth_backends):
                continue

        # Annotate the user object with the path of the backend.
        user.backend = backend_path
        return user

    # The credentials supplied are invalid to all backends, fire signal
    user_login_failed.send(sender=__name__, credentials=_clean_credentials(credentials), request=request)


auth.authenticate = authenticate


class PasswordEncryptionViewMixin:
    request = None

    def get_decrypted_password(self, password=None, username=None):
        request = self.request
        if hasattr(request, 'data'):
            data = request.data
        else:
            data = request.POST

        username = username or data.get('username')
        password = password or data.get('password')

        password = self.decrypt_passwd(password)
        if not password:
            self.raise_password_decrypt_failed(username=username)
        return password

    def raise_password_decrypt_failed(self, username):
        ip = self.get_request_ip()
        raise errors.CredentialError(
            error=errors.reason_password_decrypt_failed,
            username=username, ip=ip, request=self.request
        )

    def decrypt_passwd(self, raw_passwd):
        # 获取解密密钥，对密码进行解密
        rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
        if rsa_private_key is not None:
            try:
                return rsa_decrypt(raw_passwd, rsa_private_key)
            except Exception as e:
                logger.error(e, exc_info=True)
                logger.error(
                    f'Decrypt password failed: password[{raw_passwd}] '
                    f'rsa_private_key[{rsa_private_key}]'
                )
                return None
        return raw_passwd

    def get_request_ip(self):
        ip = ''
        if hasattr(self.request, 'data'):
            ip = self.request.data.get('remote_addr', '')
        ip = ip or get_request_ip(self.request)
        return ip

    def get_context_data(self, **kwargs):
        # 生成加解密密钥对，public_key传递给前端，private_key存入session中供解密使用
        rsa_public_key = self.request.session.get(RSA_PUBLIC_KEY)
        rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
        if not all((rsa_private_key, rsa_public_key)):
            rsa_private_key, rsa_public_key = gen_key_pair()
            rsa_public_key = rsa_public_key.replace('\n', '\\n')
            self.request.session[RSA_PRIVATE_KEY] = rsa_private_key
            self.request.session[RSA_PUBLIC_KEY] = rsa_public_key

        kwargs.update({
            'rsa_public_key': rsa_public_key,
        })
        return super().get_context_data(**kwargs)


class AuthMixin(PasswordEncryptionViewMixin):
    request = None
    partial_credential_error = None

    key_prefix_captcha = "_LOGIN_INVALID_{}"

    def get_user_from_session(self):
        if self.request.session.is_empty():
            raise errors.SessionEmptyError()

        if all((self.request.user,
                not self.request.user.is_anonymous,
                BACKEND_SESSION_KEY in self.request.session)):
            user = self.request.user
            user.backend = self.request.session[BACKEND_SESSION_KEY]
            return user

        user_id = self.request.session.get('user_id')
        if not user_id:
            user = None
        else:
            user = get_object_or_none(User, pk=user_id)
        if not user:
            raise errors.SessionEmptyError()
        user.backend = self.request.session.get("auth_backend")
        return user

    def _check_is_block(self, username, raise_exception=True):
        ip = self.get_request_ip()
        if LoginBlockUtil(username, ip).is_block():
            logger.warn('Ip was blocked' + ': ' + username + ':' + ip)
            exception = errors.BlockLoginError(username=username, ip=ip)
            if raise_exception:
                raise errors.BlockLoginError(username=username, ip=ip)
            else:
                return exception

    def check_is_block(self, raise_exception=True):
        if hasattr(self.request, 'data'):
            username = self.request.data.get("username")
        else:
            username = self.request.POST.get("username")
        self._check_is_block(username, raise_exception)

    def raise_credential_error(self, error):
        raise self.partial_credential_error(error=error)

    def _set_partial_credential_error(self, username, ip, request):
        self.partial_credential_error = partial(errors.CredentialError, username=username, ip=ip, request=request)

    def get_auth_data(self, decrypt_passwd=False):
        request = self.request
        if hasattr(request, 'data'):
            data = request.data
        else:
            data = request.POST

        items = ['username', 'password', 'challenge', 'public_key', 'auto_login']
        username, password, challenge, public_key, auto_login = bulk_get(data, *items,  default='')
        ip = self.get_request_ip()
        self._set_partial_credential_error(username=username, ip=ip, request=request)

        password = password + challenge.strip()
        if decrypt_passwd:
            password = self.get_decrypted_password()
        return username, password, public_key, ip, auto_login

    def _check_only_allow_exists_user_auth(self, username):
        # 仅允许预先存在的用户认证
        if settings.ONLY_ALLOW_EXIST_USER_AUTH:
            exist = User.objects.filter(username=username).exists()
            if not exist:
                logger.error(f"Only allow exist user auth, login failed: {username}")
                self.raise_credential_error(errors.reason_user_not_exist)

    def _check_auth_user_is_valid(self, username, password, public_key):
        user = authenticate(self.request, username=username, password=password, public_key=public_key)
        if not user:
            self.raise_credential_error(errors.reason_password_failed)
        elif user.is_expired:
            self.raise_credential_error(errors.reason_user_expired)
        elif not user.is_active:
            self.raise_credential_error(errors.reason_user_inactive)
        return user

    def _check_login_acl(self, user, ip):
        # ACL 限制用户登录
        from acls.models import LoginACL
        is_allowed = LoginACL.allow_user_to_login(user, ip)
        if not is_allowed:
            raise errors.LoginIPNotAllowed(username=user.username, request=self.request)

    def set_login_failed_mark(self):
        ip = self.get_request_ip()
        cache.set(self.key_prefix_captcha.format(ip), 1, 3600)

    def set_passwd_verify_on_session(self, user: User):
        self.request.session['user_id'] = str(user.id)
        self.request.session['auth_password'] = 1
        self.request.session['auth_password_expired_at'] = time.time() + settings.AUTH_EXPIRED_SECONDS

    def check_is_need_captcha(self):
        # 最近有登录失败时需要填写验证码
        ip = get_request_ip(self.request)
        need = cache.get(self.key_prefix_captcha.format(ip))
        return need

    def check_user_auth(self, decrypt_passwd=False):
        self.check_is_block()
        request = self.request
        username, password, public_key, ip, auto_login = self.get_auth_data(decrypt_passwd=decrypt_passwd)

        self._check_only_allow_exists_user_auth(username)
        user = self._check_auth_user_is_valid(username, password, public_key)
        # 校验login-acl规则
        self._check_login_acl(user, ip)
        self._check_password_require_reset_or_not(user)
        self._check_passwd_is_too_simple(user, password)
        self._check_passwd_need_update(user)

        LoginBlockUtil(username, ip).clean_failed_count()
        request.session['auth_password'] = 1
        request.session['user_id'] = str(user.id)
        request.session['auto_login'] = auto_login
        request.session['auth_backend'] = getattr(user, 'backend', settings.AUTH_BACKEND_MODEL)
        return user

    def _check_is_local_user(self, user: User):
        if user.source != User.Source.local:
            raise self.raise_credential_error(error=errors.only_local_users_are_allowed)

    def check_oauth2_auth(self, user: User, auth_backend):
        ip = self.get_request_ip()
        request = self.request

        self._set_partial_credential_error(user.username, ip, request)

        if user.is_expired:
            self.raise_credential_error(errors.reason_user_expired)
        elif not user.is_active:
            self.raise_credential_error(errors.reason_user_inactive)

        self._check_is_local_user(user)
        self._check_is_block(user.username)
        self._check_login_acl(user, ip)

        LoginBlockUtil(user.username, ip).clean_failed_count()
        MFABlockUtils(user.username, ip).clean_failed_count()

        request.session['auth_password'] = 1
        request.session['user_id'] = str(user.id)
        request.session['auth_backend'] = auth_backend
        return user

    @classmethod
    def generate_reset_password_url_with_flash_msg(cls, user, message):
        reset_passwd_url = reverse('authentication:reset-password')
        query_str = urlencode({
            'token': user.generate_reset_token()
        })
        reset_passwd_url = f'{reset_passwd_url}?{query_str}'

        message_data = {
            'title': _('Please change your password'),
            'message': message,
            'interval': 3,
            'redirect_url': reset_passwd_url,
        }
        return FlashMessageUtil.gen_message_url(message_data)

    @classmethod
    def _check_passwd_is_too_simple(cls, user: User, password):
        if user.is_superuser and password == 'admin':
            message = _('Your password is too simple, please change it for security')
            url = cls.generate_reset_password_url_with_flash_msg(user, message=message)
            raise errors.PasswdTooSimple(url)

    @classmethod
    def _check_passwd_need_update(cls, user: User):
        if user.need_update_password:
            message = _('You should to change your password before login')
            url = cls.generate_reset_password_url_with_flash_msg(user, message)
            raise errors.PasswdNeedUpdate(url)

    @classmethod
    def _check_password_require_reset_or_not(cls, user: User):
        if user.password_has_expired:
            message = _('Your password has expired, please reset before logging in')
            url = cls.generate_reset_password_url_with_flash_msg(user, message)
            raise errors.PasswordRequireResetError(url)

    def check_user_auth_if_need(self, decrypt_passwd=False):
        request = self.request
        if request.session.get('auth_password') and \
                request.session.get('user_id'):
            user = self.get_user_from_session()
            if user:
                return user
        return self.check_user_auth(decrypt_passwd=decrypt_passwd)

    def check_user_mfa_if_need(self, user):
        if self.request.session.get('auth_mfa'):
            return

        if settings.OTP_IN_RADIUS:
            return

        if not user.mfa_enabled:
            return
        unset, url = user.mfa_enabled_but_not_set()
        if unset:
            raise errors.MFAUnsetError(user, self.request, url)
        raise errors.MFARequiredError(mfa_types=user.get_supported_mfa_types())

    def mark_mfa_ok(self, mfa_type=MFAType.OTP):
        self.request.session['auth_mfa'] = 1
        self.request.session['auth_mfa_time'] = time.time()
        self.request.session['auth_mfa_required'] = ''
        self.request.session['auth_mfa_type'] = mfa_type

    def check_mfa_is_block(self, username, ip, raise_exception=True):
        if MFABlockUtils(username, ip).is_block():
            logger.warn('Ip was blocked' + ': ' + username + ':' + ip)
            exception = errors.BlockMFAError(username=username, request=self.request, ip=ip)
            if raise_exception:
                raise exception
            else:
                return exception

    def check_user_mfa(self, code, mfa_type=MFAType.OTP):
        user = self.get_user_from_session()
        ip = self.get_request_ip()
        self.check_mfa_is_block(user.username, ip)
        ok = user.check_mfa(code, mfa_type=mfa_type)
        if ok:
            self.mark_mfa_ok()
            return

        raise errors.MFAFailedError(
            username=user.username,
            request=self.request,
            ip=ip, mfa_type=mfa_type,
        )

    def get_ticket(self):
        from tickets.models import Ticket
        ticket_id = self.request.session.get("auth_ticket_id")
        logger.debug('Login confirm ticket id: {}'.format(ticket_id))
        if not ticket_id:
            ticket = None
        else:
            ticket = Ticket.all().filter(id=ticket_id).first()
        return ticket

    def get_ticket_or_create(self, confirm_setting):
        ticket = self.get_ticket()
        if not ticket or ticket.status_closed:
            ticket = confirm_setting.create_confirm_ticket(self.request)
            self.request.session['auth_ticket_id'] = str(ticket.id)
        return ticket

    def check_user_login_confirm(self):
        ticket = self.get_ticket()
        if not ticket:
            raise errors.LoginConfirmOtherError('', "Not found")
        if ticket.status_open:
            raise errors.LoginConfirmWaitError(ticket.id)
        elif ticket.state_approve:
            self.request.session["auth_confirm"] = "1"
            return
        elif ticket.state_reject:
            raise errors.LoginConfirmOtherError(
                ticket.id, ticket.get_action_display()
            )
        elif ticket.state_close:
            raise errors.LoginConfirmOtherError(
                ticket.id, ticket.get_action_display()
            )
        else:
            raise errors.LoginConfirmOtherError(
                ticket.id, ticket.get_status_display()
            )

    def check_user_login_confirm_if_need(self, user):
        if not settings.LOGIN_CONFIRM_ENABLE:
            return
        confirm_setting = user.get_login_confirm_setting()
        if self.request.session.get('auth_confirm') or not confirm_setting:
            return
        self.get_ticket_or_create(confirm_setting)
        self.check_user_login_confirm()

    def clear_auth_mark(self):
        self.request.session['auth_password'] = ''
        self.request.session['auth_user_id'] = ''
        self.request.session['auth_confirm'] = ''
        self.request.session['auth_ticket_id'] = ''

    def send_auth_signal(self, success=True, user=None, username='', reason=''):
        if success:
            post_auth_success.send(
                sender=self.__class__, user=user, request=self.request
            )
        else:
            post_auth_failed.send(
                sender=self.__class__, username=username,
                request=self.request, reason=reason
            )

    def redirect_to_guard_view(self):
        guard_url = reverse('authentication:login-guard')
        args = self.request.META.get('QUERY_STRING', '')
        if args:
            guard_url = "%s?%s" % (guard_url, args)
        return redirect(guard_url)
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								# -*- coding: utf-8 -*-
 								#
-												perf(users): 优化用户认证来源

											
										
										
											4 years ago
+								import inspect
-												feat(authentication): 超级管理员密码不能是`admin`

											
										
										
											4 years ago
+								from urllib.parse import urlencode
-												feat(authenticaion): 添加登录页面验证码与MFA开关

											
										
										
											4 years ago
+								from functools import partial
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								import time
-												feat(authentication): 超级管理员密码不能是`admin`

											
										
										
											4 years ago
-												feat: 添加企业微信，钉钉扫码登录

											
										
										
											4 years ago
+								from django.core.cache import cache
-												[Update] 修改tickets

											
										
										
											5 years ago
+								from django.conf import settings
-												perf(users): 优化用户认证来源

											
										
										
											4 years ago
+								from django.contrib import auth
-												perf: 优化登录，cas, openid 自动登录

											
										
										
											4 years ago
+								from django.utils.translation import ugettext as _
-												perf(users): 优化用户认证来源

											
										
										
											4 years ago
+								from django.contrib.auth import (
 								    BACKEND_SESSION_KEY, _get_backends,
 								    PermissionDenied, user_login_failed, _clean_credentials
 								)
-												feat: 添加企业微信，钉钉扫码登录

											
										
										
											4 years ago
+								from django.shortcuts import reverse, redirect
-												perf: 绑定MFA认证密码时对密码进行加密传输 (#6776)

* perf: 绑定MFA认证密码时对密码进行加密传输

* perf: 绑定MFA认证密码时对密码进行加密传输

Co-authored-by: Michael Bai <baijiangjie@gmail.com>
											
										
										
											3 years ago
+								from django.views.generic.edit import FormView
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
-												perf: 优化登录，cas, openid 自动登录

											
										
										
											4 years ago
+								from common.utils import get_object_or_none, get_request_ip, get_logger, bulk_get, FlashMessageUtil
-												feat: 添加短信服务和用户消息通知

											
										
										
											3 years ago
+								from users.models import User, MFAType
-												feat: MFA 登录次数限制

											
										
										
											4 years ago
+								from users.utils import LoginBlockUtil, MFABlockUtils
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								from . import errors
-												perf: 绑定MFA认证密码时对密码进行加密传输 (#6776)

* perf: 绑定MFA认证密码时对密码进行加密传输

* perf: 绑定MFA认证密码时对密码进行加密传输

Co-authored-by: Michael Bai <baijiangjie@gmail.com>
											
										
										
											3 years ago
+								from .utils import rsa_decrypt, gen_key_pair
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								from .signals import post_auth_success, post_auth_failed
-												perf: 绑定MFA认证密码时对密码进行加密传输 (#6776)

* perf: 绑定MFA认证密码时对密码进行加密传输

* perf: 绑定MFA认证密码时对密码进行加密传输

Co-authored-by: Michael Bai <baijiangjie@gmail.com>
											
										
										
											3 years ago
+								from .const import RSA_PRIVATE_KEY, RSA_PUBLIC_KEY
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
 								logger = get_logger(__name__)
-												perf(users): 优化用户认证来源

											
										
										
											4 years ago
+								def check_backend_can_auth(username, backend_path, allowed_auth_backends):
 								    if allowed_auth_backends is not None and backend_path not in allowed_auth_backends:
 								        logger.debug('Skip user auth backend: {}, {} not in'.format(
 								                username, backend_path, ','.join(allowed_auth_backends)
 								            )
 								        )
 								        return False
 								    return True
 								def authenticate(request=None, **credentials):
 								    """
 								    If the given credentials are valid, return a User object.
 								    """
 								    username = credentials.get('username')
 								    allowed_auth_backends = User.get_user_allowed_auth_backends(username)
 								    for backend, backend_path in _get_backends(return_tuples=True):
 								        # 预先检查，不浪费认证时间
 								        if not check_backend_can_auth(username, backend_path, allowed_auth_backends):
 								            continue
 								        backend_signature = inspect.signature(backend.authenticate)
 								        try:
 								            backend_signature.bind(request, **credentials)
 								        except TypeError:
 								            # This backend doesn't accept these credentials as arguments. Try the next one.
 								            continue
 								        try:
 								            user = backend.authenticate(request, **credentials)
 								        except PermissionDenied:
 								            # This backend says to stop in our tracks - this user should not be allowed in at all.
 								            break
 								        if user is None:
 								            continue
 								        # 如果是 None, 证明没有检查过, 需要再次检查
 								        if allowed_auth_backends is None:
 								            # 有些 authentication 参数中不带 username, 之后还要再检查
 								            allowed_auth_backends = user.get_allowed_auth_backends()
 								            if not check_backend_can_auth(user.username, backend_path, allowed_auth_backends):
 								                continue
 								        # Annotate the user object with the path of the backend.
 								        user.backend = backend_path
 								        return user
 								    # The credentials supplied are invalid to all backends, fire signal
 								    user_login_failed.send(sender=__name__, credentials=_clean_credentials(credentials), request=request)
 								auth.authenticate = authenticate
-												perf: 绑定MFA认证密码时对密码进行加密传输 (#6776)

* perf: 绑定MFA认证密码时对密码进行加密传输

* perf: 绑定MFA认证密码时对密码进行加密传输

Co-authored-by: Michael Bai <baijiangjie@gmail.com>
											
										
										
											3 years ago
+								class PasswordEncryptionViewMixin:
 								    request = None
 								    def get_decrypted_password(self, password=None, username=None):
 								        request = self.request
 								        if hasattr(request, 'data'):
 								            data = request.data
 								        else:
 								            data = request.POST
 								        username = username or data.get('username')
 								        password = password or data.get('password')
 								        password = self.decrypt_passwd(password)
 								        if not password:
 								            self.raise_password_decrypt_failed(username=username)
 								        return password
 								    def raise_password_decrypt_failed(self, username):
 								        ip = self.get_request_ip()
 								        raise errors.CredentialError(
 								            error=errors.reason_password_decrypt_failed,
 								            username=username, ip=ip, request=self.request
 								        )
 								    def decrypt_passwd(self, raw_passwd):
 								        # 获取解密密钥，对密码进行解密
 								        rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
 								        if rsa_private_key is not None:
 								            try:
 								                return rsa_decrypt(raw_passwd, rsa_private_key)
 								            except Exception as e:
 								                logger.error(e, exc_info=True)
 								                logger.error(
 								                    f'Decrypt password failed: password[{raw_passwd}] '
 								                    f'rsa_private_key[{rsa_private_key}]'
 								                )
 								                return None
 								        return raw_passwd
 								    def get_request_ip(self):
 								        ip = ''
 								        if hasattr(self.request, 'data'):
 								            ip = self.request.data.get('remote_addr', '')
 								        ip = ip or get_request_ip(self.request)
 								        return ip
 								    def get_context_data(self, **kwargs):
 								        # 生成加解密密钥对，public_key传递给前端，private_key存入session中供解密使用
 								        rsa_public_key = self.request.session.get(RSA_PUBLIC_KEY)
 								        rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
 								        if not all((rsa_private_key, rsa_public_key)):
 								            rsa_private_key, rsa_public_key = gen_key_pair()
 								            rsa_public_key = rsa_public_key.replace('\n', '\\n')
 								            self.request.session[RSA_PRIVATE_KEY] = rsa_private_key
 								            self.request.session[RSA_PUBLIC_KEY] = rsa_public_key
 								        kwargs.update({
 								            'rsa_public_key': rsa_public_key,
 								        })
 								        return super().get_context_data(**kwargs)
 								class AuthMixin(PasswordEncryptionViewMixin):
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								    request = None
-												feat: 添加限制用户只能从source登录的功能 (#5592)

* stash it

* feat: 添加限制用户只能从source登录的功能

* fix: 修复小错误

Co-authored-by: ibuler <ibuler@qq.com>
											
										
										
											4 years ago
+								    partial_credential_error = None
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
-												feat: 添加企业微信，钉钉扫码登录

											
										
										
											4 years ago
+								    key_prefix_captcha = "_LOGIN_INVALID_{}"
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								    def get_user_from_session(self):
 								        if self.request.session.is_empty():
 								            raise errors.SessionEmptyError()
-												fix(authentication): 组织成员禁用再激活，登录报错 #239

											
										
										
											4 years ago
 								        if all((self.request.user,
 								                not self.request.user.is_anonymous,
 								                BACKEND_SESSION_KEY in self.request.session)):
 								            user = self.request.user
 								            user.backend = self.request.session[BACKEND_SESSION_KEY]
 								            return user
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								        user_id = self.request.session.get('user_id')
 								        if not user_id:
 								            user = None
 								        else:
 								            user = get_object_or_none(User, pk=user_id)
 								        if not user:
 								            raise errors.SessionEmptyError()
-												[Bugfix] 修复没有backend的问题

											
										
										
											5 years ago
+								        user.backend = self.request.session.get("auth_backend")
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								        return user
-												feat: 添加企业微信，钉钉扫码登录

											
										
										
											4 years ago
+								    def _check_is_block(self, username, raise_exception=True):
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								        ip = self.get_request_ip()
-												feat: MFA 登录次数限制

											
										
										
											4 years ago
+								        if LoginBlockUtil(username, ip).is_block():
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								            logger.warn('Ip was blocked' + ': ' + username + ':' + ip)
-												fix(auth): 修复用户登录失败次数出现0次

											
										
										
											4 years ago
+								            exception = errors.BlockLoginError(username=username, ip=ip)
 								            if raise_exception:
 								                raise errors.BlockLoginError(username=username, ip=ip)
 								            else:
 								                return exception
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
-												feat: 添加企业微信，钉钉扫码登录

											
										
										
											4 years ago
+								    def check_is_block(self, raise_exception=True):
 								        if hasattr(self.request, 'data'):
 								            username = self.request.data.get("username")
 								        else:
 								            username = self.request.POST.get("username")
 								        self._check_is_block(username, raise_exception)
-												feat: 添加限制用户只能从source登录的功能 (#5592)

* stash it

* feat: 添加限制用户只能从source登录的功能

* fix: 修复小错误

Co-authored-by: ibuler <ibuler@qq.com>
											
										
										
											4 years ago
+								    def raise_credential_error(self, error):
-												perf: 优化登录页面，非常给力

perf: 优化报错

perf: 优化忘记密码

perf: 添加注释

											
										
										
											4 years ago
+								        raise self.partial_credential_error(error=error)
-												feat: 添加限制用户只能从source登录的功能 (#5592)

* stash it

* feat: 添加限制用户只能从source登录的功能

* fix: 修复小错误

Co-authored-by: ibuler <ibuler@qq.com>
											
										
										
											4 years ago
-												feat: 添加企业微信，钉钉扫码登录

											
										
										
											4 years ago
+								    def _set_partial_credential_error(self, username, ip, request):
 								        self.partial_credential_error = partial(errors.CredentialError, username=username, ip=ip, request=request)
-												feat: 添加限制用户只能从source登录的功能 (#5592)

* stash it

* feat: 添加限制用户只能从source登录的功能

* fix: 修复小错误

Co-authored-by: ibuler <ibuler@qq.com>
											
										
										
											4 years ago
+								    def get_auth_data(self, decrypt_passwd=False):
-												[Update] 修改tickets

											
										
										
											5 years ago
+								        request = self.request
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								        if hasattr(request, 'data'):
-												feat(authenticaion): 添加登录页面验证码与MFA开关

											
										
										
											4 years ago
+								            data = request.data
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								        else:
-												feat(authenticaion): 添加登录页面验证码与MFA开关

											
										
										
											4 years ago
+								            data = request.POST
-												perf: 优化登录页面，非常给力

perf: 优化报错

perf: 优化忘记密码

perf: 添加注释

											
										
										
											4 years ago
+								        items = ['username', 'password', 'challenge', 'public_key', 'auto_login']
 								        username, password, challenge, public_key, auto_login = bulk_get(data, *items,  default='')
-												feat: 添加限制用户只能从source登录的功能 (#5592)

* stash it

* feat: 添加限制用户只能从source登录的功能

* fix: 修复小错误

Co-authored-by: ibuler <ibuler@qq.com>
											
										
										
											4 years ago
+								        ip = self.get_request_ip()
-												feat: 添加企业微信，钉钉扫码登录

											
										
										
											4 years ago
+								        self._set_partial_credential_error(username=username, ip=ip, request=request)
-												feat(authenticaion): 添加登录页面验证码与MFA开关

											
										
										
											4 years ago
-												perf: 绑定MFA认证密码时对密码进行加密传输 (#6776)

* perf: 绑定MFA认证密码时对密码进行加密传输

* perf: 绑定MFA认证密码时对密码进行加密传输

Co-authored-by: Michael Bai <baijiangjie@gmail.com>
											
										
										
											3 years ago
+								        password = password + challenge.strip()
-												refactor(authentication): 密码解密抽取成方法

											
										
										
											4 years ago
+								        if decrypt_passwd:
-												perf: 绑定MFA认证密码时对密码进行加密传输 (#6776)

* perf: 绑定MFA认证密码时对密码进行加密传输

* perf: 绑定MFA认证密码时对密码进行加密传输

Co-authored-by: Michael Bai <baijiangjie@gmail.com>
											
										
										
											3 years ago
+								            password = self.get_decrypted_password()
-												perf: 优化登录页面，非常给力

perf: 优化报错

perf: 优化忘记密码

perf: 添加注释

											
										
										
											4 years ago
+								        return username, password, public_key, ip, auto_login
-												feat: 添加限制用户只能从source登录的功能 (#5592)

* stash it

* feat: 添加限制用户只能从source登录的功能

* fix: 修复小错误

Co-authored-by: ibuler <ibuler@qq.com>
											
										
										
											4 years ago
 								    def _check_only_allow_exists_user_auth(self, username):
 								        # 仅允许预先存在的用户认证
 								        if settings.ONLY_ALLOW_EXIST_USER_AUTH:
 								            exist = User.objects.filter(username=username).exists()
 								            if not exist:
 								                logger.error(f"Only allow exist user auth, login failed: {username}")
 								                self.raise_credential_error(errors.reason_user_not_exist)
 								    def _check_auth_user_is_valid(self, username, password, public_key):
 								        user = authenticate(self.request, username=username, password=password, public_key=public_key)
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								        if not user:
-												feat: 添加限制用户只能从source登录的功能 (#5592)

* stash it

* feat: 添加限制用户只能从source登录的功能

* fix: 修复小错误

Co-authored-by: ibuler <ibuler@qq.com>
											
										
										
											4 years ago
+								            self.raise_credential_error(errors.reason_password_failed)
-												feat(authenticaion): 添加登录页面验证码与MFA开关

											
										
										
											4 years ago
+								        elif user.is_expired:
-												fix: 过期用户登录提示无效

											
										
										
											4 years ago
+								            self.raise_credential_error(errors.reason_user_expired)
-												feat(authenticaion): 添加登录页面验证码与MFA开关

											
										
										
											4 years ago
+								        elif not user.is_active:
-												feat: 添加限制用户只能从source登录的功能 (#5592)

* stash it

* feat: 添加限制用户只能从source登录的功能

* fix: 修复小错误

Co-authored-by: ibuler <ibuler@qq.com>
											
										
										
											4 years ago
+								            self.raise_credential_error(errors.reason_user_inactive)
 								        return user
-												feat(authenticaion): 添加登录页面验证码与MFA开关

											
										
										
											4 years ago
-												feat: ACL (#5696)

* feature: acl (v0.1)

* feature: acl (v0.2)

* feature: acl (v0.3)

* feature: acl (v0.4)

* feature: acl (v0.5)

* feature: acl (v0.6)

* feature: acl (v0.7)

* feature: acl (v0.8)

* feature: acl (v0.9)

* feature: acl (v1.0)

* feature: acl (v1.1)

* feature: acl (v1.2)

* feature: acl (v1.3)

* feature: acl (v1.4)

* feature: acl (v1.5)

* feature: acl (v1.6)

* feature: acl (v1.7)

* feature: acl (v1.8)

* feature: acl (v1.9)

* feature: acl (v2.0)

* feature: acl (v2.1)

* feature: acl (v2.2)

* feature: acl (v2.3)

* feature: acl (v2.4)

* feature: acl (v2.5)

* feature: acl (v2.6)

* feature: acl (v2.7)

* feature: acl (v2.8)

* feature: acl (v2.9)

* feature: acl (v3.0)

* feature: acl (v3.1)

* feature: acl (v3.2)

* feature: acl (v3.3)

* feature: acl (v3.4)

* feature: acl (v3.5)

* feature: acl (v3.6)

* feature: acl (v3.7)

* feature: acl (v3.8)

* feature: acl (v3.9)

* feature: acl (v4.0)

* feature: acl (v4.1)

* feature: acl (v4.2)

* feature: acl (v4.3)

* feature: acl (v4.4)
											
										
										
											4 years ago
+								    def _check_login_acl(self, user, ip):
 								        # ACL 限制用户登录
 								        from acls.models import LoginACL
 								        is_allowed = LoginACL.allow_user_to_login(user, ip)
 								        if not is_allowed:
-												perf: 优化acl提示

											
										
										
											4 years ago
+								            raise errors.LoginIPNotAllowed(username=user.username, request=self.request)
-												feat: ACL (#5696)

* feature: acl (v0.1)

* feature: acl (v0.2)

* feature: acl (v0.3)

* feature: acl (v0.4)

* feature: acl (v0.5)

* feature: acl (v0.6)

* feature: acl (v0.7)

* feature: acl (v0.8)

* feature: acl (v0.9)

* feature: acl (v1.0)

* feature: acl (v1.1)

* feature: acl (v1.2)

* feature: acl (v1.3)

* feature: acl (v1.4)

* feature: acl (v1.5)

* feature: acl (v1.6)

* feature: acl (v1.7)

* feature: acl (v1.8)

* feature: acl (v1.9)

* feature: acl (v2.0)

* feature: acl (v2.1)

* feature: acl (v2.2)

* feature: acl (v2.3)

* feature: acl (v2.4)

* feature: acl (v2.5)

* feature: acl (v2.6)

* feature: acl (v2.7)

* feature: acl (v2.8)

* feature: acl (v2.9)

* feature: acl (v3.0)

* feature: acl (v3.1)

* feature: acl (v3.2)

* feature: acl (v3.3)

* feature: acl (v3.4)

* feature: acl (v3.5)

* feature: acl (v3.6)

* feature: acl (v3.7)

* feature: acl (v3.8)

* feature: acl (v3.9)

* feature: acl (v4.0)

* feature: acl (v4.1)

* feature: acl (v4.2)

* feature: acl (v4.3)

* feature: acl (v4.4)
											
										
										
											4 years ago
-												feat: 添加企业微信，钉钉扫码登录

											
										
										
											4 years ago
+								    def set_login_failed_mark(self):
 								        ip = self.get_request_ip()
 								        cache.set(self.key_prefix_captcha.format(ip), 1, 3600)
 								    def set_passwd_verify_on_session(self, user: User):
 								        self.request.session['user_id'] = str(user.id)
 								        self.request.session['auth_password'] = 1
 								        self.request.session['auth_password_expired_at'] = time.time() + settings.AUTH_EXPIRED_SECONDS
 								    def check_is_need_captcha(self):
 								        # 最近有登录失败时需要填写验证码
 								        ip = get_request_ip(self.request)
 								        need = cache.get(self.key_prefix_captcha.format(ip))
 								        return need
-												feat: 添加限制用户只能从source登录的功能 (#5592)

* stash it

* feat: 添加限制用户只能从source登录的功能

* fix: 修复小错误

Co-authored-by: ibuler <ibuler@qq.com>
											
										
										
											4 years ago
+								    def check_user_auth(self, decrypt_passwd=False):
 								        self.check_is_block()
 								        request = self.request
-												perf: 优化登录页面，非常给力

perf: 优化报错

perf: 优化忘记密码

perf: 添加注释

											
										
										
											4 years ago
+								        username, password, public_key, ip, auto_login = self.get_auth_data(decrypt_passwd=decrypt_passwd)
-												feat: 添加限制用户只能从source登录的功能 (#5592)

* stash it

* feat: 添加限制用户只能从source登录的功能

* fix: 修复小错误

Co-authored-by: ibuler <ibuler@qq.com>
											
										
										
											4 years ago
 								        self._check_only_allow_exists_user_auth(username)
 								        user = self._check_auth_user_is_valid(username, password, public_key)
-												feat: ACL (#5696)

* feature: acl (v0.1)

* feature: acl (v0.2)

* feature: acl (v0.3)

* feature: acl (v0.4)

* feature: acl (v0.5)

* feature: acl (v0.6)

* feature: acl (v0.7)

* feature: acl (v0.8)

* feature: acl (v0.9)

* feature: acl (v1.0)

* feature: acl (v1.1)

* feature: acl (v1.2)

* feature: acl (v1.3)

* feature: acl (v1.4)

* feature: acl (v1.5)

* feature: acl (v1.6)

* feature: acl (v1.7)

* feature: acl (v1.8)

* feature: acl (v1.9)

* feature: acl (v2.0)

* feature: acl (v2.1)

* feature: acl (v2.2)

* feature: acl (v2.3)

* feature: acl (v2.4)

* feature: acl (v2.5)

* feature: acl (v2.6)

* feature: acl (v2.7)

* feature: acl (v2.8)

* feature: acl (v2.9)

* feature: acl (v3.0)

* feature: acl (v3.1)

* feature: acl (v3.2)

* feature: acl (v3.3)

* feature: acl (v3.4)

* feature: acl (v3.5)

* feature: acl (v3.6)

* feature: acl (v3.7)

* feature: acl (v3.8)

* feature: acl (v3.9)

* feature: acl (v4.0)

* feature: acl (v4.1)

* feature: acl (v4.2)

* feature: acl (v4.3)

* feature: acl (v4.4)
											
										
										
											4 years ago
+								        # 校验login-acl规则
 								        self._check_login_acl(user, ip)
-												perf(auth): 密码过期后，走重置密码流程 #530

											
										
										
											4 years ago
+								        self._check_password_require_reset_or_not(user)
-												feat(authentication): 超级管理员密码不能是`admin`

											
										
										
											4 years ago
+								        self._check_passwd_is_too_simple(user, password)
-												feat: 管理员可以设置用户是否下次登录需修改密码 (#6006)

* feat: 管理员可以设置用户是否下次登录需修改密码

* feat: 管理员可以设置用户下次是否需要更改密码，本次修改：字段命名规范化

* feat: 管理员可以设置用户下次是否需要更改密码，本次修改：字段命名规范化

* fix: 用户下次登录是否需要改密，函数名及变量名规范化

* fix: 管理员设置用户下次是否改密功能的国际化翻译文件

* fixs: 管理员设置用户下次登录是否需改密功能，逻辑修改

* fix: 管理员可设置用户下次登录是否需要改密，字段名称更改
											
										
										
											4 years ago
+								        self._check_passwd_need_update(user)
-												feat(authentication): 超级管理员密码不能是`admin`

											
										
										
											4 years ago
-												feat: MFA 登录次数限制

											
										
										
											4 years ago
+								        LoginBlockUtil(username, ip).clean_failed_count()
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								        request.session['auth_password'] = 1
 								        request.session['user_id'] = str(user.id)
-												perf: 优化登录页面，非常给力

perf: 优化报错

perf: 优化忘记密码

perf: 添加注释

											
										
										
											4 years ago
+								        request.session['auto_login'] = auto_login
-												perf(users): 优化用户认证来源

											
										
										
											4 years ago
+								        request.session['auth_backend'] = getattr(user, 'backend', settings.AUTH_BACKEND_MODEL)
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								        return user
-												feat: 添加企业微信，钉钉扫码登录

											
										
										
											4 years ago
+								    def _check_is_local_user(self, user: User):
 								        if user.source != User.Source.local:
 								            raise self.raise_credential_error(error=errors.only_local_users_are_allowed)
 								    def check_oauth2_auth(self, user: User, auth_backend):
 								        ip = self.get_request_ip()
 								        request = self.request
-												fix: 用户无效时，企业微信&钉钉扫码 500

											
										
										
											3 years ago
+								        self._set_partial_credential_error(user.username, ip, request)
-												fix: 过期用户登录提示不明确

											
										
										
											3 years ago
+								        if user.is_expired:
 								            self.raise_credential_error(errors.reason_user_expired)
 								        elif not user.is_active:
 								            self.raise_credential_error(errors.reason_user_inactive)
-												feat: 添加企业微信，钉钉扫码登录

											
										
										
											4 years ago
+								        self._check_is_local_user(user)
 								        self._check_is_block(user.username)
 								        self._check_login_acl(user, ip)
 								        LoginBlockUtil(user.username, ip).clean_failed_count()
 								        MFABlockUtils(user.username, ip).clean_failed_count()
 								        request.session['auth_password'] = 1
 								        request.session['user_id'] = str(user.id)
 								        request.session['auth_backend'] = auth_backend
 								        return user
-												feat(authentication): 超级管理员密码不能是`admin`

											
										
										
											4 years ago
+								    @classmethod
-												perf: 优化登录，cas, openid 自动登录

											
										
										
											4 years ago
+								    def generate_reset_password_url_with_flash_msg(cls, user, message):
-												perf(auth): 密码过期后，走重置密码流程 #530

											
										
										
											4 years ago
+								        reset_passwd_url = reverse('authentication:reset-password')
 								        query_str = urlencode({
 								            'token': user.generate_reset_token()
 								        })
 								        reset_passwd_url = f'{reset_passwd_url}?{query_str}'
-												perf: 优化登录，cas, openid 自动登录

											
										
										
											4 years ago
+								        message_data = {
 								            'title': _('Please change your password'),
 								            'message': message,
 								            'interval': 3,
 								            'redirect_url': reset_passwd_url,
 								        }
 								        return FlashMessageUtil.gen_message_url(message_data)
-												perf(auth): 密码过期后，走重置密码流程 #530

											
										
										
											4 years ago
 								    @classmethod
 								    def _check_passwd_is_too_simple(cls, user: User, password):
-												feat(authentication): 超级管理员密码不能是`admin`

											
										
										
											4 years ago
+								        if user.is_superuser and password == 'admin':
-												perf: 优化登录，cas, openid 自动登录

											
										
										
											4 years ago
+								            message = _('Your password is too simple, please change it for security')
 								            url = cls.generate_reset_password_url_with_flash_msg(user, message=message)
-												perf(auth): 密码过期后，走重置密码流程 #530

											
										
										
											4 years ago
+								            raise errors.PasswdTooSimple(url)
-												feat: 管理员可以设置用户是否下次登录需修改密码 (#6006)

* feat: 管理员可以设置用户是否下次登录需修改密码

* feat: 管理员可以设置用户下次是否需要更改密码，本次修改：字段命名规范化

* feat: 管理员可以设置用户下次是否需要更改密码，本次修改：字段命名规范化

* fix: 用户下次登录是否需要改密，函数名及变量名规范化

* fix: 管理员设置用户下次是否改密功能的国际化翻译文件

* fixs: 管理员设置用户下次登录是否需改密功能，逻辑修改

* fix: 管理员可设置用户下次登录是否需要改密，字段名称更改
											
										
										
											4 years ago
+								    @classmethod
 								    def _check_passwd_need_update(cls, user: User):
 								        if user.need_update_password:
-												perf: 优化登录，cas, openid 自动登录

											
										
										
											4 years ago
+								            message = _('You should to change your password before login')
 								            url = cls.generate_reset_password_url_with_flash_msg(user, message)
-												feat: 管理员可以设置用户是否下次登录需修改密码 (#6006)

* feat: 管理员可以设置用户是否下次登录需修改密码

* feat: 管理员可以设置用户下次是否需要更改密码，本次修改：字段命名规范化

* feat: 管理员可以设置用户下次是否需要更改密码，本次修改：字段命名规范化

* fix: 用户下次登录是否需要改密，函数名及变量名规范化

* fix: 管理员设置用户下次是否改密功能的国际化翻译文件

* fixs: 管理员设置用户下次登录是否需改密功能，逻辑修改

* fix: 管理员可设置用户下次登录是否需要改密，字段名称更改
											
										
										
											4 years ago
+								            raise errors.PasswdNeedUpdate(url)
-												perf(auth): 密码过期后，走重置密码流程 #530

											
										
										
											4 years ago
+								    @classmethod
 								    def _check_password_require_reset_or_not(cls, user: User):
 								        if user.password_has_expired:
-												perf: 优化登录，cas, openid 自动登录

											
										
										
											4 years ago
+								            message = _('Your password has expired, please reset before logging in')
 								            url = cls.generate_reset_password_url_with_flash_msg(user, message)
-												perf(auth): 密码过期后，走重置密码流程 #530

											
										
										
											4 years ago
+								            raise errors.PasswordRequireResetError(url)
-												feat(authentication): 超级管理员密码不能是`admin`

											
										
										
											4 years ago
-												refactor(authentication): 密码解密抽取成方法

											
										
										
											4 years ago
+								    def check_user_auth_if_need(self, decrypt_passwd=False):
-												[Update] 修改tickets

											
										
										
											5 years ago
+								        request = self.request
 								        if request.session.get('auth_password') and \
 								                request.session.get('user_id'):
 								            user = self.get_user_from_session()
 								            if user:
 								                return user
-												refactor(authentication): 密码解密抽取成方法

											
										
										
											4 years ago
+								        return self.check_user_auth(decrypt_passwd=decrypt_passwd)
-												[Update] 修改tickets

											
										
										
											5 years ago
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								    def check_user_mfa_if_need(self, user):
 								        if self.request.session.get('auth_mfa'):
-												[Update] 修改tickets

											
										
										
											5 years ago
+								            return
-												fix: OTP_IN_RADIUS 与 mfa 冲突

											
										
										
											3 years ago
 								        if settings.OTP_IN_RADIUS:
 								            return
-												[Update] 修改mfa

											
										
										
											5 years ago
+								        if not user.mfa_enabled:
 								            return
-.5.7 Merge to dev (#3766)

* [Update] 暂存，优化解决不了问题

* [Update] 待续（小白）

* [Update] 修改asset user

* [Update] 计划再次更改

* [Update] 修改asset user

* [Update] 暂存与喜爱

* [Update] Add id in

* [Update] 阶段性完成ops task该做

* [Update] 修改asset user api

* [Update] 修改asset user 任务，查看认证等

* [Update] 基本完成asset user改造

* [Update] dynamic user only allow 1

* [Update] 修改asset user task

* [Update] 修改node admin user task api

* [Update] remove file header license

* [Update] 添加sftp root

* [Update] 暂存

* [Update] 暂存

* [Update] 修改翻译

* [Update] 修改系统用户改为同名后，用户名改为空

* [Update] 基本完成CAS调研

* [Update] 支持cas server

* [Update] 支持cas server

* [Update] 添加requirements

* [Update] 为方便调试添加mysql ipython到包中

* [Update] 添加huaweiyun翻译

* [Update] 增加下载session 录像

* [Update] 只有第一次通知replay离线的使用方法

* [Update] 暂存一下

* [Bugfix] 获取系统用户信息报错

* [Bugfix] 修改system user info

* [Update] 改成清理10天git status

* [Update] 修改celery日志保留时间

* [Update]修复部分pip包依赖的版本不兼容问题 (#3672)

* [Update] 修复用户更新页面会清空用户public_key的问题

* Fix broken dependencies

Co-authored-by: BaiJiangJie <32935519+BaiJiangJie@users.noreply.github.com>

* [Update] 修改获取系统用户auth info

* [Update] Remove log

* [Bugfix] 修复sftp home设置的bug

* [Update] 授权的系统用户添加sftp root

* [Update] 修改系统用户关联的用户

* [Update] 修改placeholder

* [Update] 优化获取授权的系统用户

* [Update] 修改tasks

* [Update] tree service update

* [Update] 暂存

* [Update] 基本完成用户授权树和资产树改造

* [Update] Dashbaord perf

* [update] Add huawei cloud sdk requirements

* [Updte] 优化dashboard页面

* [Update] system user auth info 添加id

* [Update] 修改系统用户serializer

* [Update] 优化api

* [Update] LDAP Test Util (#3720)

* [Update] LDAPTestUtil 1

* [Update] LDAPTestUtil 2

* [Update] LDAPTestUtil 3

* [Update] LDAPTestUtil 4

* [Update] LDAPTestUtil 5

* [Update] LDAPTestUtil 6

* [Update] LDAPTestUtil 7

* [Update] session 已添加is success，并且添加display serializer

* [Bugfix] 修复无法删除空节点的bug

* [Update] 命令记录分组织显示

* [Update] Session is_success 添加迁移文件

* [Update] 批量命令添加org_id

* [Update] 修复一些文案，修改不绑定MFA，不能ssh登录

* [Update] 修改replay api, 返回session信息

* [Update] 解决无效es导致访问命令记录页面失败的问题

* [Update] 拆分profile view

* [Update] 修改一个翻译

* [Update] 修改aysnc api框架

* [Update] 命令列表添加risk level

* [Update] 完成录像打包下载

* [Update] 更改登陆otp页面

* [Update] 修改command 存储redis_level

* [Update] 修改翻译

* [Update] 修改系统用户的用户列表字段

* [Update] 使用新logo和统一Jumpserver为JumpServer

* [Update] 优化cloud task

* [Update] 统一period task

* [Update] 统一period form serializer字段

* [Update] 修改period task

* [Update] 修改资产网关信息

* [Update] 用户授权资产树资产信息添加domain

* [Update] 修改翻译

* [Update] 测试可连接性

* 1.5.7 bai (#3764)

* [Update] 修复index页面Bug；修复测试资产用户可连接性问题；

* [Update] 修改测试资产用户可连接

* [Bugfix] 修复backends问题

* [Update] 修改marksafe依赖版本

* [Update] 修改测试资产用户可连接性

* [Update] 修改检测服务器性能时获取percent值

* [Update] 更新依赖boto3=1.12.14

Co-authored-by: Yanzhe Lee <lee.yanzhe@yanzhe.org>
Co-authored-by: BaiJiangJie <32935519+BaiJiangJie@users.noreply.github.com>
Co-authored-by: Bai <bugatti_it@163.com>
											
										
										
											5 years ago
+								        unset, url = user.mfa_enabled_but_not_set()
 								        if unset:
 								            raise errors.MFAUnsetError(user, self.request, url)
-												feat: 添加短信服务和用户消息通知

											
										
										
											3 years ago
+								        raise errors.MFARequiredError(mfa_types=user.get_supported_mfa_types())
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
-												feat: 添加短信服务和用户消息通知

											
										
										
											3 years ago
+								    def mark_mfa_ok(self, mfa_type=MFAType.OTP):
-												feat: MFA 登录次数限制

											
										
										
											4 years ago
+								        self.request.session['auth_mfa'] = 1
 								        self.request.session['auth_mfa_time'] = time.time()
-												feat: sso支持验证mfa

											
										
										
											3 years ago
+								        self.request.session['auth_mfa_required'] = ''
-												feat: 添加短信服务和用户消息通知

											
										
										
											3 years ago
+								        self.request.session['auth_mfa_type'] = mfa_type
-												feat: MFA 登录次数限制

											
										
										
											4 years ago
 								    def check_mfa_is_block(self, username, ip, raise_exception=True):
 								        if MFABlockUtils(username, ip).is_block():
 								            logger.warn('Ip was blocked' + ': ' + username + ':' + ip)
 								            exception = errors.BlockMFAError(username=username, request=self.request, ip=ip)
 								            if raise_exception:
 								                raise exception
 								            else:
 								                return exception
-												feat: 添加短信服务和用户消息通知

											
										
										
											3 years ago
+								    def check_user_mfa(self, code, mfa_type=MFAType.OTP):
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								        user = self.get_user_from_session()
-												feat: MFA 登录次数限制

											
										
										
											4 years ago
+								        ip = self.get_request_ip()
 								        self.check_mfa_is_block(user.username, ip)
-												feat: 添加短信服务和用户消息通知

											
										
										
											3 years ago
+								        ok = user.check_mfa(code, mfa_type=mfa_type)
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								        if ok:
-												feat: MFA 登录次数限制

											
										
										
											4 years ago
+								            self.mark_mfa_ok()
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								            return
-												feat: MFA 登录次数限制

											
										
										
											4 years ago
 								        raise errors.MFAFailedError(
 								            username=user.username,
 								            request=self.request,
-												feat: 添加短信服务和用户消息通知

											
										
										
											3 years ago
+								            ip=ip, mfa_type=mfa_type,
-												feat: MFA 登录次数限制

											
										
										
											4 years ago
+								        )
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
-												[Update] 修改tickets

											
										
										
											5 years ago
+								    def get_ticket(self):
-												[Update] 修改工单

											
										
										
											5 years ago
+								        from tickets.models import Ticket
-												[Update] 修改tickets

											
										
										
											5 years ago
+								        ticket_id = self.request.session.get("auth_ticket_id")
 								        logger.debug('Login confirm ticket id: {}'.format(ticket_id))
 								        if not ticket_id:
 								            ticket = None
 								        else:
-												reactor&feat: 重构工单模块 & 支持申请应用工单 (#5352)

* reactor: 修改工单Model，添加工单迁移文件

* reactor: 修改工单Model，添加工单迁移文件

* reactor: 重构工单模块

* reactor: 重构工单模块2

* reactor: 重构工单模块3

* reactor: 重构工单模块4

* reactor: 重构工单模块5

* reactor: 重构工单模块6

* reactor: 重构工单模块7

* reactor: 重构工单模块8

* reactor: 重构工单模块9

* reactor: 重构工单模块10

* reactor: 重构工单模块11

* reactor: 重构工单模块12

* reactor: 重构工单模块13

* reactor: 重构工单模块14

* reactor: 重构工单模块15

* reactor: 重构工单模块16

* reactor: 重构工单模块17

* reactor: 重构工单模块18

* reactor: 重构工单模块19

* reactor: 重构工单模块20

* reactor: 重构工单模块21

* reactor: 重构工单模块22

* reactor: 重构工单模块23

* reactor: 重构工单模块24

* reactor: 重构工单模块25

* reactor: 重构工单模块26

* reactor: 重构工单模块27

* reactor: 重构工单模块28

* reactor: 重构工单模块29

* reactor: 重构工单模块30

* reactor: 重构工单模块31

* reactor: 重构工单模块32

* reactor: 重构工单模块33

* reactor: 重构工单模块34

* reactor: 重构工单模块35

* reactor: 重构工单模块36

* reactor: 重构工单模块37

* reactor: 重构工单模块38

* reactor: 重构工单模块39
											
										
										
											4 years ago
+								            ticket = Ticket.all().filter(id=ticket_id).first()
-												[Update] 修改tickets

											
										
										
											5 years ago
+								        return ticket
 								    def get_ticket_or_create(self, confirm_setting):
 								        ticket = self.get_ticket()
-												reactor&feat: 重构工单模块 & 支持申请应用工单 (#5352)

* reactor: 修改工单Model，添加工单迁移文件

* reactor: 修改工单Model，添加工单迁移文件

* reactor: 重构工单模块

* reactor: 重构工单模块2

* reactor: 重构工单模块3

* reactor: 重构工单模块4

* reactor: 重构工单模块5

* reactor: 重构工单模块6

* reactor: 重构工单模块7

* reactor: 重构工单模块8

* reactor: 重构工单模块9

* reactor: 重构工单模块10

* reactor: 重构工单模块11

* reactor: 重构工单模块12

* reactor: 重构工单模块13

* reactor: 重构工单模块14

* reactor: 重构工单模块15

* reactor: 重构工单模块16

* reactor: 重构工单模块17

* reactor: 重构工单模块18

* reactor: 重构工单模块19

* reactor: 重构工单模块20

* reactor: 重构工单模块21

* reactor: 重构工单模块22

* reactor: 重构工单模块23

* reactor: 重构工单模块24

* reactor: 重构工单模块25

* reactor: 重构工单模块26

* reactor: 重构工单模块27

* reactor: 重构工单模块28

* reactor: 重构工单模块29

* reactor: 重构工单模块30

* reactor: 重构工单模块31

* reactor: 重构工单模块32

* reactor: 重构工单模块33

* reactor: 重构工单模块34

* reactor: 重构工单模块35

* reactor: 重构工单模块36

* reactor: 重构工单模块37

* reactor: 重构工单模块38

* reactor: 重构工单模块39
											
										
										
											4 years ago
+								        if not ticket or ticket.status_closed:
-												[Update] Rename app

											
										
										
											5 years ago
+								            ticket = confirm_setting.create_confirm_ticket(self.request)
 								            self.request.session['auth_ticket_id'] = str(ticket.id)
-												[Update] 修改tickets

											
										
										
											5 years ago
+								        return ticket
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
-												[Update] 修改tickets

											
										
										
											5 years ago
+								    def check_user_login_confirm(self):
 								        ticket = self.get_ticket()
 								        if not ticket:
 								            raise errors.LoginConfirmOtherError('', "Not found")
-												reactor&feat: 重构工单模块 & 支持申请应用工单 (#5352)

* reactor: 修改工单Model，添加工单迁移文件

* reactor: 修改工单Model，添加工单迁移文件

* reactor: 重构工单模块

* reactor: 重构工单模块2

* reactor: 重构工单模块3

* reactor: 重构工单模块4

* reactor: 重构工单模块5

* reactor: 重构工单模块6

* reactor: 重构工单模块7

* reactor: 重构工单模块8

* reactor: 重构工单模块9

* reactor: 重构工单模块10

* reactor: 重构工单模块11

* reactor: 重构工单模块12

* reactor: 重构工单模块13

* reactor: 重构工单模块14

* reactor: 重构工单模块15

* reactor: 重构工单模块16

* reactor: 重构工单模块17

* reactor: 重构工单模块18

* reactor: 重构工单模块19

* reactor: 重构工单模块20

* reactor: 重构工单模块21

* reactor: 重构工单模块22

* reactor: 重构工单模块23

* reactor: 重构工单模块24

* reactor: 重构工单模块25

* reactor: 重构工单模块26

* reactor: 重构工单模块27

* reactor: 重构工单模块28

* reactor: 重构工单模块29

* reactor: 重构工单模块30

* reactor: 重构工单模块31

* reactor: 重构工单模块32

* reactor: 重构工单模块33

* reactor: 重构工单模块34

* reactor: 重构工单模块35

* reactor: 重构工单模块36

* reactor: 重构工单模块37

* reactor: 重构工单模块38

* reactor: 重构工单模块39
											
										
										
											4 years ago
+								        if ticket.status_open:
-												[Update] 修改tickets

											
										
										
											5 years ago
+								            raise errors.LoginConfirmWaitError(ticket.id)
-												feat: 工单多级审批 + 模版创建 (#6640)

* feat: 工单多级审批 + 模版创建

* feat: 工单权限处理

* fix: 工单关闭后 再审批bug

* perf: 修改一点

Co-authored-by: feng626 <1304903146@qq.com>
Co-authored-by: ibuler <ibuler@qq.com>
											
										
										
											3 years ago
+								        elif ticket.state_approve:
-												[Update] 修改tickets

											
										
										
											5 years ago
+								            self.request.session["auth_confirm"] = "1"
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								            return
-												feat: 工单多级审批 + 模版创建 (#6640)

* feat: 工单多级审批 + 模版创建

* feat: 工单权限处理

* fix: 工单关闭后 再审批bug

* perf: 修改一点

Co-authored-by: feng626 <1304903146@qq.com>
Co-authored-by: ibuler <ibuler@qq.com>
											
										
										
											3 years ago
+								        elif ticket.state_reject:
-												reactor&feat: 重构工单模块 & 支持申请应用工单 (#5352)

* reactor: 修改工单Model，添加工单迁移文件

* reactor: 修改工单Model，添加工单迁移文件

* reactor: 重构工单模块

* reactor: 重构工单模块2

* reactor: 重构工单模块3

* reactor: 重构工单模块4

* reactor: 重构工单模块5

* reactor: 重构工单模块6

* reactor: 重构工单模块7

* reactor: 重构工单模块8

* reactor: 重构工单模块9

* reactor: 重构工单模块10

* reactor: 重构工单模块11

* reactor: 重构工单模块12

* reactor: 重构工单模块13

* reactor: 重构工单模块14

* reactor: 重构工单模块15

* reactor: 重构工单模块16

* reactor: 重构工单模块17

* reactor: 重构工单模块18

* reactor: 重构工单模块19

* reactor: 重构工单模块20

* reactor: 重构工单模块21

* reactor: 重构工单模块22

* reactor: 重构工单模块23

* reactor: 重构工单模块24

* reactor: 重构工单模块25

* reactor: 重构工单模块26

* reactor: 重构工单模块27

* reactor: 重构工单模块28

* reactor: 重构工单模块29

* reactor: 重构工单模块30

* reactor: 重构工单模块31

* reactor: 重构工单模块32

* reactor: 重构工单模块33

* reactor: 重构工单模块34

* reactor: 重构工单模块35

* reactor: 重构工单模块36

* reactor: 重构工单模块37

* reactor: 重构工单模块38

* reactor: 重构工单模块39
											
										
										
											4 years ago
+								            raise errors.LoginConfirmOtherError(
 								                ticket.id, ticket.get_action_display()
 								            )
-												feat: 工单多级审批 + 模版创建 (#6640)

* feat: 工单多级审批 + 模版创建

* feat: 工单权限处理

* fix: 工单关闭后 再审批bug

* perf: 修改一点

Co-authored-by: feng626 <1304903146@qq.com>
Co-authored-by: ibuler <ibuler@qq.com>
											
										
										
											3 years ago
+								        elif ticket.state_close:
-												[Update] 修改tickets

											
										
										
											5 years ago
+								            raise errors.LoginConfirmOtherError(
 								                ticket.id, ticket.get_action_display()
 								            )
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								        else:
-												[Update] 修改tickets

											
										
										
											5 years ago
+								            raise errors.LoginConfirmOtherError(
 								                ticket.id, ticket.get_status_display()
 								            )
 								    def check_user_login_confirm_if_need(self, user):
-												Config (#3502)

* [Update] 修改config

* [Update] 移动存储设置到到terminal中

* [Update] 修改permission 查看

* [Update] pre merge

* [Update] 录像存储

* [Update] 命令存储

* [Update] 添加存储测试可连接性

* [Update] 修改 meta 值的 key 为大写

* [Update] 修改 Terminal 相关 Storage 配置

* [Update] 删除之前获取录像/命令存储的代码

* [Update] 修改导入失败

* [Update] 迁移文件添加default存储

* [Update] 删除之前代码，添加help_text信息

* [Update] 删除之前代码

* [Update] 删除之前代码

* [Update] 抽象命令/录像存储 APIView

* [Update] 抽象命令/录像存储 APIView 1

* [Update] 抽象命令/录像存储 DictField

* [Update] 抽象命令/录像存储列表页面

* [Update] 修复CustomDictField的bug

* [Update] RemoteApp 页面添加 hidden

* [Update] 用户页面添加用户关联授权

* [Update] 修改存储测试可连接性 target

* [Update] 修改配置

* [Update] 修改存储前端 Form 渲染逻辑

* [Update] 修改存储细节

* [Update] 统一存储类型到 const 文件

* [Update] 修改迁移文件及Model，创建默认存储

* [Update] 修改迁移文件及Model初始化默认数据

* [Update] 修改迁移文件

* [Update] 修改迁移文件

* [Update] 修改迁移文件

* [Update] 修改迁移文件

* [Update] 修改迁移文件

* [Update] 修改迁移文件

* [Update] 修改迁移文件

* [Update] 限制删除默认存储配置，只允许创建扩展的存储类型

* [Update] 修改ip字段长度

* [Update] 修改ip字段长度

* [Update] 修改一些css

* [Update] 修改关联

* [Update] 添加操作日志定时清理

* [Update] 修改记录syslog的instance encoder

* [Update] 忽略登录产生的操作日志

* [Update] 限制更新存储时不覆盖原有AK SK 等字段

* [Update] 修改迁移文件添加comment字段

* [Update] 修改迁移文件

* [Update] 添加 comment 字段

* [Update] 修改默认存储no -> null

* [Update] 修改细节

* [Update] 更新翻译（存储配置

* [Update] 修改定时任务注册，修改系统用户资产、节点关系api

* [Update] 添加监控磁盘任务

* [Update] 修改session

* [Update] 拆分serializer

* [Update] 还原setting原来的manager

											
										
										
											5 years ago
+								        if not settings.LOGIN_CONFIRM_ENABLE:
-												[Update] 修改tickets

											
										
										
											5 years ago
+								            return
 								        confirm_setting = user.get_login_confirm_setting()
 								        if self.request.session.get('auth_confirm') or not confirm_setting:
 								            return
 								        self.get_ticket_or_create(confirm_setting)
 								        self.check_user_login_confirm()
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
 								    def clear_auth_mark(self):
 								        self.request.session['auth_password'] = ''
-												[Update] 修改tickets

											
										
										
											5 years ago
+								        self.request.session['auth_user_id'] = ''
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
+								        self.request.session['auth_confirm'] = ''
-												[Update] Rename app

											
										
										
											5 years ago
+								        self.request.session['auth_ticket_id'] = ''
-												[Update] 基本完成登录逻辑

											
										
										
											5 years ago
 								    def send_auth_signal(self, success=True, user=None, username='', reason=''):
 								        if success:
 								            post_auth_success.send(
 								                sender=self.__class__, user=user, request=self.request
 								            )
 								        else:
 								            post_auth_failed.send(
 								                sender=self.__class__, username=username,
 								                request=self.request, reason=reason
 								            )
-												feat: 添加企业微信，钉钉扫码登录

											
										
										
											4 years ago
 								    def redirect_to_guard_view(self):
 								        guard_url = reverse('authentication:login-guard')
 								        args = self.request.META.get('QUERY_STRING', '')
 								        if args:
 								            guard_url = "%s?%s" % (guard_url, args)
 								        return redirect(guard_url)