jumpserver/apps/authentication/mixins.py

169 lines
6.0 KiB
Python
Raw Normal View History

2019-11-05 10:46:29 +00:00
# -*- coding: utf-8 -*-
#
import time
2019-11-08 12:17:25 +00:00
from django.conf import settings
2019-11-05 10:46:29 +00:00
from common.utils import get_object_or_none, get_request_ip, get_logger
from users.models import User
from users.utils import (
is_block_login, clean_failed_count, increase_login_failed_count
)
from . import errors
from .utils import check_user_valid
from .signals import post_auth_success, post_auth_failed
logger = get_logger(__name__)
class AuthMixin:
request = None
def get_user_from_session(self):
if self.request.session.is_empty():
raise errors.SessionEmptyError()
if self.request.user and not self.request.user.is_anonymous:
return self.request.user
user_id = self.request.session.get('user_id')
if not user_id:
user = None
else:
user = get_object_or_none(User, pk=user_id)
if not user:
raise errors.SessionEmptyError()
2019-11-11 03:54:32 +00:00
user.backend = self.request.session.get("auth_backend")
2019-11-05 10:46:29 +00:00
return user
def get_request_ip(self):
ip = ''
if hasattr(self.request, 'data'):
ip = self.request.data.get('remote_addr', '')
ip = ip or get_request_ip(self.request)
return ip
def check_is_block(self):
if hasattr(self.request, 'data'):
username = self.request.data.get("username")
else:
username = self.request.POST.get("username")
ip = self.get_request_ip()
if is_block_login(username, ip):
logger.warn('Ip was blocked' + ': ' + username + ':' + ip)
raise errors.BlockLoginError(username=username, ip=ip)
def check_user_auth(self):
self.check_is_block()
2019-11-08 12:17:25 +00:00
request = self.request
2019-11-05 10:46:29 +00:00
if hasattr(request, 'data'):
username = request.data.get('username', '')
password = request.data.get('password', '')
public_key = request.data.get('public_key', '')
else:
username = request.POST.get('username', '')
password = request.POST.get('password', '')
public_key = request.POST.get('public_key', '')
user, error = check_user_valid(
username=username, password=password,
public_key=public_key
)
ip = self.get_request_ip()
if not user:
raise errors.CredentialError(
username=username, error=error, ip=ip, request=request
)
clean_failed_count(username, ip)
request.session['auth_password'] = 1
request.session['user_id'] = str(user.id)
2019-11-11 03:54:32 +00:00
auth_backend = getattr(user, 'backend', 'django.contrib.auth.backends.ModelBackend')
request.session['auth_backend'] = auth_backend
2019-11-05 10:46:29 +00:00
return user
2019-11-08 12:17:25 +00:00
def check_user_auth_if_need(self):
request = self.request
if request.session.get('auth_password') and \
request.session.get('user_id'):
user = self.get_user_from_session()
if user:
return user
return self.check_user_auth()
2019-11-05 10:46:29 +00:00
def check_user_mfa_if_need(self, user):
if self.request.session.get('auth_mfa'):
2019-11-08 12:17:25 +00:00
return
2019-11-18 08:30:26 +00:00
if not user.mfa_enabled:
return
if not user.otp_secret_key and user.mfa_is_otp():
2019-11-08 12:17:25 +00:00
return
2019-11-05 10:46:29 +00:00
raise errors.MFARequiredError()
def check_user_mfa(self, code):
user = self.get_user_from_session()
2019-11-18 10:12:03 +00:00
ok = user.check_mfa(code)
2019-11-05 10:46:29 +00:00
if ok:
self.request.session['auth_mfa'] = 1
self.request.session['auth_mfa_time'] = time.time()
self.request.session['auth_mfa_type'] = 'otp'
return
raise errors.MFAFailedError(username=user.username, request=self.request)
2019-11-08 12:17:25 +00:00
def get_ticket(self):
2019-11-15 10:55:35 +00:00
from tickets.models import Ticket
2019-11-08 12:17:25 +00:00
ticket_id = self.request.session.get("auth_ticket_id")
logger.debug('Login confirm ticket id: {}'.format(ticket_id))
if not ticket_id:
ticket = None
else:
2019-11-15 10:55:35 +00:00
ticket = get_object_or_none(Ticket, pk=ticket_id)
2019-11-08 12:17:25 +00:00
return ticket
def get_ticket_or_create(self, confirm_setting):
ticket = self.get_ticket()
2019-11-11 08:43:09 +00:00
if not ticket or ticket.status == ticket.STATUS_CLOSED:
2019-11-07 10:06:58 +00:00
ticket = confirm_setting.create_confirm_ticket(self.request)
self.request.session['auth_ticket_id'] = str(ticket.id)
2019-11-08 12:17:25 +00:00
return ticket
2019-11-05 10:46:29 +00:00
2019-11-08 12:17:25 +00:00
def check_user_login_confirm(self):
ticket = self.get_ticket()
if not ticket:
raise errors.LoginConfirmOtherError('', "Not found")
if ticket.status == ticket.STATUS_OPEN:
raise errors.LoginConfirmWaitError(ticket.id)
elif ticket.action == ticket.ACTION_APPROVE:
self.request.session["auth_confirm"] = "1"
2019-11-05 10:46:29 +00:00
return
2019-11-08 12:17:25 +00:00
elif ticket.action == ticket.ACTION_REJECT:
raise errors.LoginConfirmOtherError(
ticket.id, ticket.get_action_display()
)
2019-11-05 10:46:29 +00:00
else:
2019-11-08 12:17:25 +00:00
raise errors.LoginConfirmOtherError(
ticket.id, ticket.get_status_display()
)
def check_user_login_confirm_if_need(self, user):
Config (#3502) * [Update] 修改config * [Update] 移动存储设置到到terminal中 * [Update] 修改permission 查看 * [Update] pre merge * [Update] 录像存储 * [Update] 命令存储 * [Update] 添加存储测试可连接性 * [Update] 修改 meta 值的 key 为大写 * [Update] 修改 Terminal 相关 Storage 配置 * [Update] 删除之前获取录像/命令存储的代码 * [Update] 修改导入失败 * [Update] 迁移文件添加default存储 * [Update] 删除之前代码,添加help_text信息 * [Update] 删除之前代码 * [Update] 删除之前代码 * [Update] 抽象命令/录像存储 APIView * [Update] 抽象命令/录像存储 APIView 1 * [Update] 抽象命令/录像存储 DictField * [Update] 抽象命令/录像存储列表页面 * [Update] 修复CustomDictField的bug * [Update] RemoteApp 页面添加 hidden * [Update] 用户页面添加用户关联授权 * [Update] 修改存储测试可连接性 target * [Update] 修改配置 * [Update] 修改存储前端 Form 渲染逻辑 * [Update] 修改存储细节 * [Update] 统一存储类型到 const 文件 * [Update] 修改迁移文件及Model,创建默认存储 * [Update] 修改迁移文件及Model初始化默认数据 * [Update] 修改迁移文件 * [Update] 修改迁移文件 * [Update] 修改迁移文件 * [Update] 修改迁移文件 * [Update] 修改迁移文件 * [Update] 修改迁移文件 * [Update] 修改迁移文件 * [Update] 限制删除默认存储配置,只允许创建扩展的存储类型 * [Update] 修改ip字段长度 * [Update] 修改ip字段长度 * [Update] 修改一些css * [Update] 修改关联 * [Update] 添加操作日志定时清理 * [Update] 修改记录syslog的instance encoder * [Update] 忽略登录产生的操作日志 * [Update] 限制更新存储时不覆盖原有AK SK 等字段 * [Update] 修改迁移文件添加comment字段 * [Update] 修改迁移文件 * [Update] 添加 comment 字段 * [Update] 修改默认存储no -> null * [Update] 修改细节 * [Update] 更新翻译(存储配置 * [Update] 修改定时任务注册,修改系统用户资产、节点关系api * [Update] 添加监控磁盘任务 * [Update] 修改session * [Update] 拆分serializer * [Update] 还原setting原来的manager
2019-12-05 07:09:25 +00:00
if not settings.LOGIN_CONFIRM_ENABLE:
2019-11-08 12:17:25 +00:00
return
confirm_setting = user.get_login_confirm_setting()
if self.request.session.get('auth_confirm') or not confirm_setting:
return
self.get_ticket_or_create(confirm_setting)
self.check_user_login_confirm()
2019-11-05 10:46:29 +00:00
def clear_auth_mark(self):
self.request.session['auth_password'] = ''
2019-11-08 12:17:25 +00:00
self.request.session['auth_user_id'] = ''
2019-11-05 10:46:29 +00:00
self.request.session['auth_mfa'] = ''
self.request.session['auth_confirm'] = ''
2019-11-07 10:06:58 +00:00
self.request.session['auth_ticket_id'] = ''
2019-11-05 10:46:29 +00:00
def send_auth_signal(self, success=True, user=None, username='', reason=''):
if success:
post_auth_success.send(
sender=self.__class__, user=user, request=self.request
)
else:
post_auth_failed.send(
sender=self.__class__, username=username,
request=self.request, reason=reason
)