jumpserver/apps/authentication/openid/views.py

# -*- coding: utf-8 -*-
#

import logging

from django.urls import reverse
from django.conf import settings
from django.core.cache import cache
from django.views.generic.base import RedirectView
from django.contrib.auth import authenticate, login
from django.http.response import (
    HttpResponseBadRequest,
    HttpResponseServerError,
    HttpResponseRedirect
)

from . import client
from .models import Nonce
from users.models import LoginLog
from users.tasks import write_login_log_async
from common.utils import get_request_ip

logger = logging.getLogger(__name__)


def get_base_site_url():
    return settings.BASE_SITE_URL


class LoginView(RedirectView):

    def get_redirect_url(self, *args, **kwargs):
        nonce = Nonce(
            redirect_uri=get_base_site_url() + reverse(
                "authentication:openid-login-complete"),

            next_path=self.request.GET.get('next')
        )

        cache.set(str(nonce.state), nonce, 24*3600)

        self.request.session['openid_state'] = str(nonce.state)

        authorization_url = client.openid_connect_client.\
            authorization_url(
                redirect_uri=nonce.redirect_uri, scope='code',
                state=str(nonce.state)
            )

        return authorization_url


class LoginCompleteView(RedirectView):

    def get(self, request, *args, **kwargs):
        if 'error' in request.GET:
            return HttpResponseServerError(self.request.GET['error'])

        if 'code' not in self.request.GET and 'state' not in self.request.GET:
            return HttpResponseBadRequest()

        if self.request.GET['state'] != self.request.session['openid_state']:
            return HttpResponseBadRequest()

        nonce = cache.get(self.request.GET['state'])

        if not nonce:
            return HttpResponseBadRequest()

        user = authenticate(
            request=self.request,
            code=self.request.GET['code'],
            redirect_uri=nonce.redirect_uri
        )

        cache.delete(str(nonce.state))

        if not user:
            return HttpResponseBadRequest()

        login(self.request, user)

        data = {
            'username': user.username,
            'mfa': int(user.otp_enabled),
            'reason': LoginLog.REASON_NOTHING,
            'status': True
        }
        self.write_login_log(data)

        return HttpResponseRedirect(nonce.next_path or '/')

    def write_login_log(self, data):
        login_ip = get_request_ip(self.request)
        user_agent = self.request.META.get('HTTP_USER_AGENT', '')
        tmp_data = {
            'ip': login_ip,
            'type': 'W',
            'user_agent': user_agent
        }
        data.update(tmp_data)
        write_login_log_async.delay(**data)
[Update] 支持 OpenID 认证 (#2008) * [Update] core支持openid登录，coco还不支持 * [Update] coco支持openid登录 * [Update] 修改注释 * [Update] 修改 OpenID Auth Code Backend 用户认证失败返回None, 不是Anonymoususer * [Update] 修改OpenID Code用户认证异常捕获 * [Update] 修改OpenID Auth Middleware, check用户是否单点退出的异常捕获 * [Update] 修改config_example Auth OpenID 配置 * [Update] 登录页面添加更多登录方式 * [Update] 重构OpenID认证架构 * [Update] 修改小细节 * [Update] OpenID用户认证成功后，更新用户来源 * [update] 添加OpenID用户登录成功日志 2018-11-09 06:54:38 +00:00			`# -- coding: utf-8 --`
			`#`

			`import logging`

			`from django.urls import reverse`
			`from django.conf import settings`
			`from django.core.cache import cache`
			`from django.views.generic.base import RedirectView`
			`from django.contrib.auth import authenticate, login`
			`from django.http.response import (`
			`HttpResponseBadRequest,`
			`HttpResponseServerError,`
			`HttpResponseRedirect`
			`)`

			`from . import client`
			`from .models import Nonce`
			`from users.models import LoginLog`
			`from users.tasks import write_login_log_async`
			`from common.utils import get_request_ip`

			`logger = logging.getLogger(__name__)`


			`def get_base_site_url():`
			`return settings.BASE_SITE_URL`


			`class LoginView(RedirectView):`

			`def get_redirect_url(self, args, *kwargs):`
			`nonce = Nonce(`
			`redirect_uri=get_base_site_url() + reverse(`
			`"authentication:openid-login-complete"),`

			`next_path=self.request.GET.get('next')`
			`)`

			`cache.set(str(nonce.state), nonce, 24*3600)`

			`self.request.session['openid_state'] = str(nonce.state)`

			`authorization_url = client.openid_connect_client.\`
			`authorization_url(`
			`redirect_uri=nonce.redirect_uri, scope='code',`
			`state=str(nonce.state)`
			`)`

			`return authorization_url`


			`class LoginCompleteView(RedirectView):`

			`def get(self, request, args, *kwargs):`
			`if 'error' in request.GET:`
			`return HttpResponseServerError(self.request.GET['error'])`

			`if 'code' not in self.request.GET and 'state' not in self.request.GET:`
			`return HttpResponseBadRequest()`

			`if self.request.GET['state'] != self.request.session['openid_state']:`
			`return HttpResponseBadRequest()`

			`nonce = cache.get(self.request.GET['state'])`

			`if not nonce:`
			`return HttpResponseBadRequest()`

			`user = authenticate(`
			`request=self.request,`
			`code=self.request.GET['code'],`
			`redirect_uri=nonce.redirect_uri`
			`)`

			`cache.delete(str(nonce.state))`

			`if not user:`
			`return HttpResponseBadRequest()`

			`login(self.request, user)`

			`data = {`
			`'username': user.username,`
			`'mfa': int(user.otp_enabled),`
			`'reason': LoginLog.REASON_NOTHING,`
			`'status': True`
			`}`
			`self.write_login_log(data)`

			`return HttpResponseRedirect(nonce.next_path or '/')`

			`def write_login_log(self, data):`
			`login_ip = get_request_ip(self.request)`
			`user_agent = self.request.META.get('HTTP_USER_AGENT', '')`
			`tmp_data = {`
			`'ip': login_ip,`
			`'type': 'W',`
			`'user_agent': user_agent`
			`}`
			`data.update(tmp_data)`
			`write_login_log_async.delay(**data)`