jumpserver/apps/authentication/authentication.py

# -*- coding: utf-8 -*-
#

import uuid
import time

from django.core.cache import cache
from django.conf import settings
from django.utils.translation import ugettext as _
from django.utils.six import text_type
from django.utils.translation import ugettext_lazy as _
from rest_framework import HTTP_HEADER_ENCODING
from rest_framework import authentication, exceptions
from rest_framework.authentication import CSRFCheck

from common.utils import get_object_or_none, make_signature, http_to_unixtime
from users.models import User, AccessKey, PrivateToken


def get_request_date_header(request):
    date = request.META.get('HTTP_DATE', b'')
    if isinstance(date, text_type):
        # Work around django test client oddness
        date = date.encode(HTTP_HEADER_ENCODING)
    return date


class AccessKeyAuthentication(authentication.BaseAuthentication):
    """App使用Access key进行签名认证, 目前签名算法比较简单,
    app注册或者手动建立后,会生成 access_key_id 和 access_key_secret,
    然后使用 如下算法生成签名:
    Signature = md5(access_key_secret + '\n' + Date)
    example: Signature = md5('d32d2b8b-9a10-4b8d-85bb-1a66976f6fdc' + '\n' +
                    'Thu, 12 Jan 2017 08:19:41 GMT')
    请求时设置请求header
    header['Authorization'] = 'Sign access_key_id:Signature' 如:
    header['Authorization'] =
        'Sign d32d2b8b-9a10-4b8d-85bb-1a66976f6fdc:OKOlmdxgYPZ9+SddnUUDbQ=='

    验证时根据相同算法进行验证, 取到access_key_id对应的access_key_id, 从request
    headers取到Date, 然后进行md5, 判断得到的结果是否相同, 如果是认证通过, 否则 认证
    失败
    """
    keyword = 'Sign'
    model = AccessKey

    def authenticate(self, request):
        auth = authentication.get_authorization_header(request).split()
        if not auth or auth[0].lower() != self.keyword.lower().encode():
            return None

        if len(auth) == 1:
            msg = _('Invalid signature header. No credentials provided.')
            raise exceptions.AuthenticationFailed(msg)
        elif len(auth) > 2:
            msg = _('Invalid signature header. Signature '
                    'string should not contain spaces.')
            raise exceptions.AuthenticationFailed(msg)

        try:
            sign = auth[1].decode().split(':')
            if len(sign) != 2:
                msg = _('Invalid signature header. '
                        'Format like AccessKeyId:Signature')
                raise exceptions.AuthenticationFailed(msg)
        except UnicodeError:
            msg = _('Invalid signature header. '
                    'Signature string should not contain invalid characters.')
            raise exceptions.AuthenticationFailed(msg)

        access_key_id = sign[0]
        try:
            uuid.UUID(access_key_id)
        except ValueError:
            raise exceptions.AuthenticationFailed('Access key id invalid')
        request_signature = sign[1]

        return self.authenticate_credentials(
            request, access_key_id, request_signature
        )

    @staticmethod
    def authenticate_credentials(request, access_key_id, request_signature):
        access_key = get_object_or_none(AccessKey, id=access_key_id)
        request_date = get_request_date_header(request)
        if access_key is None or not access_key.user:
            raise exceptions.AuthenticationFailed(_('Invalid signature.'))
        access_key_secret = access_key.secret

        try:
            request_unix_time = http_to_unixtime(request_date)
        except ValueError:
            raise exceptions.AuthenticationFailed(
                _('HTTP header: Date not provide '
                  'or not %a, %d %b %Y %H:%M:%S GMT'))

        if int(time.time()) - request_unix_time > 15 * 60:
            raise exceptions.AuthenticationFailed(
                _('Expired, more than 15 minutes'))

        signature = make_signature(access_key_secret, request_date)
        if not signature == request_signature:
            raise exceptions.AuthenticationFailed(_('Invalid signature.'))

        if not access_key.user.is_active:
            raise exceptions.AuthenticationFailed(_('User disabled.'))
        return access_key.user, None


class AccessTokenAuthentication(authentication.BaseAuthentication):
    keyword = 'Bearer'
    model = User
    expiration = settings.TOKEN_EXPIRATION or 3600

    def authenticate(self, request):
        auth = authentication.get_authorization_header(request).split()
        if not auth or auth[0].lower() != self.keyword.lower().encode():
            return None

        if len(auth) == 1:
            msg = _('Invalid token header. No credentials provided.')
            raise exceptions.AuthenticationFailed(msg)
        elif len(auth) > 2:
            msg = _('Invalid token header. Sign string '
                    'should not contain spaces.')
            raise exceptions.AuthenticationFailed(msg)

        try:
            token = auth[1].decode()
        except UnicodeError:
            msg = _('Invalid token header. Sign string '
                    'should not contain invalid characters.')
            raise exceptions.AuthenticationFailed(msg)
        return self.authenticate_credentials(token)

    @staticmethod
    def authenticate_credentials(token):
        user_id = cache.get(token)
        user = get_object_or_none(User, id=user_id)

        if not user:
            msg = _('Invalid token or cache refreshed.')
            raise exceptions.AuthenticationFailed(msg)
        return user, None


class PrivateTokenAuthentication(authentication.TokenAuthentication):
    model = PrivateToken


class SessionAuthentication(authentication.SessionAuthentication):
    def enforce_csrf(self, request):
        reason = CSRFCheck().process_view(request, None, (), {})
        if reason:
            raise exceptions.AuthenticationFailed(reason)
Add user backend 2016-10-14 16:49:59 +00:00			`# -- coding: utf-8 --`
			`#`

[Fix] 修改一些api bug 2017-01-20 05:59:53 +00:00			`import uuid`
Finish access key auth 2016-12-25 05:15:28 +00:00			`import time`
Finish token access api 2016-10-31 10:58:23 +00:00
			`from django.core.cache import cache`
			`from django.conf import settings`
			`from django.utils.translation import ugettext as _`
Add access key auth 2016-12-21 17:07:05 +00:00			`from django.utils.six import text_type`
			`from django.utils.translation import ugettext_lazy as _`
			`from rest_framework import HTTP_HEADER_ENCODING`
服务账号注册机制更改 (#2079) * [Update] 服务账号注册 * [Update] 修改settings配置 * [Update] 修改settings * [Update] 整理terminal api * [Update] 修改terminal api * [Update] 修改terminal注册机制 2018-11-23 02:25:35 +00:00			`from rest_framework import authentication, exceptions`
[Change] 拆分user view为多个view 2017-01-17 08:34:47 +00:00			`from rest_framework.authentication import CSRFCheck`
Add user backend 2016-10-14 16:49:59 +00:00
Finish access key auth 2016-12-25 05:15:28 +00:00			`from common.utils import get_object_or_none, make_signature, http_to_unixtime`
[Update] users认证逻辑迁移到authentication中 2019-02-27 12:55:28 +00:00			`from users.models import User, AccessKey, PrivateToken`
Add user backend 2016-10-14 16:49:59 +00:00

Add access key auth 2016-12-21 17:07:05 +00:00			`def get_request_date_header(request):`
			`date = request.META.get('HTTP_DATE', b'')`
			`if isinstance(date, text_type):`
			`# Work around django test client oddness`
			`date = date.encode(HTTP_HEADER_ENCODING)`
			`return date`


			`class AccessKeyAuthentication(authentication.BaseAuthentication):`
[Change] 拆分user view为多个view 2017-01-17 08:34:47 +00:00			`"""App使用Access key进行签名认证, 目前签名算法比较简单,`
			`app注册或者手动建立后,会生成 access_key_id 和 access_key_secret,`
			`然后使用如下算法生成签名:`
			`Signature = md5(access_key_secret + '\n' + Date)`
			`example: Signature = md5('d32d2b8b-9a10-4b8d-85bb-1a66976f6fdc' + '\n' +`
			`'Thu, 12 Jan 2017 08:19:41 GMT')`
			`请求时设置请求header`
			`header['Authorization'] = 'Sign access_key_id:Signature' 如:`
			`header['Authorization'] =`
			`'Sign d32d2b8b-9a10-4b8d-85bb-1a66976f6fdc:OKOlmdxgYPZ9+SddnUUDbQ=='`

			`验证时根据相同算法进行验证, 取到access_key_id对应的access_key_id, 从request`
			`headers取到Date, 然后进行md5, 判断得到的结果是否相同, 如果是认证通过, 否则认证`
			`失败`
			`"""`
Add user backend 2016-10-14 16:49:59 +00:00			`keyword = 'Sign'`
Add access key auth 2016-12-21 17:07:05 +00:00			`model = AccessKey`
Add user backend 2016-10-14 16:49:59 +00:00
			`def authenticate(self, request):`
			`auth = authentication.get_authorization_header(request).split()`
			`if not auth or auth[0].lower() != self.keyword.lower().encode():`
			`return None`

			`if len(auth) == 1:`
Add access key auth 2016-12-21 17:07:05 +00:00			`msg = _('Invalid signature header. No credentials provided.')`
Add user backend 2016-10-14 16:49:59 +00:00			`raise exceptions.AuthenticationFailed(msg)`
			`elif len(auth) > 2:`
[Change] 拆分user view为多个view 2017-01-17 08:34:47 +00:00			`msg = _('Invalid signature header. Signature '`
			`'string should not contain spaces.')`
Add user backend 2016-10-14 16:49:59 +00:00			`raise exceptions.AuthenticationFailed(msg)`

			`try:`
Add access key auth 2016-12-21 17:07:05 +00:00			`sign = auth[1].decode().split(':')`
			`if len(sign) != 2:`
[Change] 拆分user view为多个view 2017-01-17 08:34:47 +00:00			`msg = _('Invalid signature header. '`
			`'Format like AccessKeyId:Signature')`
Add access key auth 2016-12-21 17:07:05 +00:00			`raise exceptions.AuthenticationFailed(msg)`
Add user backend 2016-10-14 16:49:59 +00:00			`except UnicodeError:`
[Change] 拆分user view为多个view 2017-01-17 08:34:47 +00:00			`msg = _('Invalid signature header. '`
			`'Signature string should not contain invalid characters.')`
Add user backend 2016-10-14 16:49:59 +00:00			`raise exceptions.AuthenticationFailed(msg)`
Add access key auth 2016-12-21 17:07:05 +00:00
			`access_key_id = sign[0]`
[Fix] 修改一些api bug 2017-01-20 05:59:53 +00:00			`try:`
			`uuid.UUID(access_key_id)`
			`except ValueError:`
			`raise exceptions.AuthenticationFailed('Access key id invalid')`
Finish access key auth 2016-12-25 05:15:28 +00:00			`request_signature = sign[1]`
Add user backend 2016-10-14 16:49:59 +00:00
[Change] 拆分user view为多个view 2017-01-17 08:34:47 +00:00			`return self.authenticate_credentials(`
Update terminal api 2017-10-31 03:34:20 +00:00			`request, access_key_id, request_signature`
			`)`
Add access key auth 2016-12-21 17:07:05 +00:00
Update api 2016-12-29 11:17:00 +00:00			`@staticmethod`
			`def authenticate_credentials(request, access_key_id, request_signature):`
Add access key auth 2016-12-21 17:07:05 +00:00			`access_key = get_object_or_none(AccessKey, id=access_key_id)`
Finish access key auth 2016-12-25 05:15:28 +00:00			`request_date = get_request_date_header(request)`
Add access key auth 2016-12-21 17:07:05 +00:00			`if access_key is None or not access_key.user:`
			`raise exceptions.AuthenticationFailed(_('Invalid signature.'))`
Finish access key auth 2016-12-25 05:15:28 +00:00			`access_key_secret = access_key.secret`

			`try:`
			`request_unix_time = http_to_unixtime(request_date)`
			`except ValueError:`
[Change] 拆分user view为多个view 2017-01-17 08:34:47 +00:00			`raise exceptions.AuthenticationFailed(`
			`_('HTTP header: Date not provide '`
			`'or not %a, %d %b %Y %H:%M:%S GMT'))`
Finish access key auth 2016-12-25 05:15:28 +00:00
[Change] 拆分user view为多个view 2017-01-17 08:34:47 +00:00			`if int(time.time()) - request_unix_time > 15 * 60:`
			`raise exceptions.AuthenticationFailed(`
			`_('Expired, more than 15 minutes'))`
Finish access key auth 2016-12-25 05:15:28 +00:00
			`signature = make_signature(access_key_secret, request_date)`
			`if not signature == request_signature:`
[Change] 拆分user view为多个view 2017-01-17 08:34:47 +00:00			`raise exceptions.AuthenticationFailed(_('Invalid signature.'))`
Add access key auth 2016-12-21 17:07:05 +00:00
			`if not access_key.user.is_active:`
			`raise exceptions.AuthenticationFailed(_('User disabled.'))`
			`return access_key.user, None`
Add auth and permission backends 2016-10-15 08:04:54 +00:00

Finish token access api 2016-10-31 10:58:23 +00:00			`class AccessTokenAuthentication(authentication.BaseAuthentication):`
Update api 2016-12-16 11:32:05 +00:00			`keyword = 'Bearer'`
Finish token access api 2016-10-31 10:58:23 +00:00			`model = User`
[Feature] 添加basic settings 2018-01-12 07:43:26 +00:00			`expiration = settings.TOKEN_EXPIRATION or 3600`
Finish token access api 2016-10-31 10:58:23 +00:00
			`def authenticate(self, request):`
			`auth = authentication.get_authorization_header(request).split()`
			`if not auth or auth[0].lower() != self.keyword.lower().encode():`
			`return None`

			`if len(auth) == 1:`
			`msg = _('Invalid token header. No credentials provided.')`
			`raise exceptions.AuthenticationFailed(msg)`
			`elif len(auth) > 2:`
[Change] 拆分user view为多个view 2017-01-17 08:34:47 +00:00			`msg = _('Invalid token header. Sign string '`
			`'should not contain spaces.')`
Finish token access api 2016-10-31 10:58:23 +00:00			`raise exceptions.AuthenticationFailed(msg)`

			`try:`
			`token = auth[1].decode()`
			`except UnicodeError:`
[Change] 拆分user view为多个view 2017-01-17 08:34:47 +00:00			`msg = _('Invalid token header. Sign string '`
			`'should not contain invalid characters.')`
Finish token access api 2016-10-31 10:58:23 +00:00			`raise exceptions.AuthenticationFailed(msg)`
Update app terminal name to applications 2016-12-25 15:10:53 +00:00			`return self.authenticate_credentials(token)`
Finish token access api 2016-10-31 10:58:23 +00:00
Update api 2016-12-29 11:17:00 +00:00			`@staticmethod`
			`def authenticate_credentials(token):`
Finish token access api 2016-10-31 10:58:23 +00:00			`user_id = cache.get(token)`
			`user = get_object_or_none(User, id=user_id)`

			`if not user:`
Update app terminal name to applications 2016-12-25 15:10:53 +00:00			`msg = _('Invalid token or cache refreshed.')`
			`raise exceptions.AuthenticationFailed(msg)`
Finish token access api 2016-10-31 10:58:23 +00:00			`return user, None`
Update app terminal name to applications 2016-12-25 15:10:53 +00:00

			`class PrivateTokenAuthentication(authentication.TokenAuthentication):`
			`model = PrivateToken`
Update api 2016-12-28 16:29:59 +00:00

			`class SessionAuthentication(authentication.SessionAuthentication):`
			`def enforce_csrf(self, request):`
[Change] 拆分user view为多个view 2017-01-17 08:34:47 +00:00			`reason = CSRFCheck().process_view(request, None, (), {})`
			`if reason:`
			`raise exceptions.AuthenticationFailed(reason)`