2016-08-09 09:27:37 +00:00
|
|
|
# ~*~ coding: utf-8 ~*~
|
|
|
|
#
|
2016-08-31 17:12:02 +00:00
|
|
|
from __future__ import unicode_literals
|
2018-04-18 04:48:07 +00:00
|
|
|
import os
|
2018-06-05 09:26:31 +00:00
|
|
|
import re
|
2018-04-18 04:48:07 +00:00
|
|
|
import pyotp
|
2016-12-19 17:19:50 +00:00
|
|
|
import base64
|
2016-08-30 17:00:20 +00:00
|
|
|
import logging
|
2016-10-31 10:58:23 +00:00
|
|
|
import uuid
|
2016-08-30 17:00:20 +00:00
|
|
|
|
2017-12-04 12:15:47 +00:00
|
|
|
import requests
|
|
|
|
import ipaddress
|
2018-04-19 09:20:53 +00:00
|
|
|
from django.http import Http404
|
2016-09-13 13:45:10 +00:00
|
|
|
from django.conf import settings
|
2016-08-28 15:58:22 +00:00
|
|
|
from django.contrib.auth.mixins import UserPassesTestMixin
|
2018-07-03 09:47:12 +00:00
|
|
|
from django.contrib.auth import authenticate
|
2016-09-03 16:51:36 +00:00
|
|
|
from django.utils.translation import ugettext as _
|
2016-12-19 17:19:50 +00:00
|
|
|
from django.core.cache import cache
|
2018-11-22 10:02:12 +00:00
|
|
|
from datetime import datetime
|
2016-08-28 15:58:22 +00:00
|
|
|
|
2016-08-31 17:12:02 +00:00
|
|
|
from common.tasks import send_mail_async
|
2016-09-24 16:11:31 +00:00
|
|
|
from common.utils import reverse, get_object_or_none
|
2018-06-05 09:26:31 +00:00
|
|
|
from common.forms import SecuritySettingForm
|
2018-11-22 04:27:27 +00:00
|
|
|
from common.models import Setting
|
2017-12-04 12:15:47 +00:00
|
|
|
from .models import User, LoginLog
|
2016-08-30 17:00:20 +00:00
|
|
|
|
2018-06-05 09:26:31 +00:00
|
|
|
|
2016-08-30 17:00:20 +00:00
|
|
|
logger = logging.getLogger('jumpserver')
|
|
|
|
|
2016-08-28 15:58:22 +00:00
|
|
|
|
|
|
|
class AdminUserRequiredMixin(UserPassesTestMixin):
|
|
|
|
def test_func(self):
|
2017-03-31 03:25:25 +00:00
|
|
|
if not self.request.user.is_authenticated:
|
|
|
|
return False
|
|
|
|
elif not self.request.user.is_superuser:
|
|
|
|
self.raise_exception = True
|
|
|
|
return False
|
|
|
|
return True
|
2016-08-30 17:00:20 +00:00
|
|
|
|
|
|
|
|
2017-12-12 04:19:45 +00:00
|
|
|
def send_user_created_mail(user):
|
2016-09-03 16:51:36 +00:00
|
|
|
subject = _('Create account successfully')
|
2016-08-31 17:12:02 +00:00
|
|
|
recipient_list = [user.email]
|
2016-09-03 16:51:36 +00:00
|
|
|
message = _("""
|
|
|
|
Hello %(name)s:
|
2016-08-31 17:12:02 +00:00
|
|
|
</br>
|
2016-09-03 16:51:36 +00:00
|
|
|
Your account has been created successfully
|
2016-08-31 17:12:02 +00:00
|
|
|
</br>
|
2018-05-25 10:13:48 +00:00
|
|
|
Username: %(username)s
|
|
|
|
</br>
|
2016-09-03 16:51:36 +00:00
|
|
|
<a href="%(rest_password_url)s?token=%(rest_password_token)s">click here to set your password</a>
|
2016-08-31 17:12:02 +00:00
|
|
|
</br>
|
2016-09-03 16:51:36 +00:00
|
|
|
This link is valid for 1 hour. After it expires, <a href="%(forget_password_url)s?email=%(email)s">request new one</a>
|
2016-08-31 17:12:02 +00:00
|
|
|
|
|
|
|
</br>
|
|
|
|
---
|
|
|
|
|
|
|
|
</br>
|
2016-09-03 16:51:36 +00:00
|
|
|
<a href="%(login_url)s">Login direct</a>
|
2016-08-31 17:12:02 +00:00
|
|
|
|
|
|
|
</br>
|
2016-09-03 16:51:36 +00:00
|
|
|
""") % {
|
2016-08-31 17:12:02 +00:00
|
|
|
'name': user.name,
|
2018-05-25 10:13:48 +00:00
|
|
|
'username': user.username,
|
2016-08-31 17:12:02 +00:00
|
|
|
'rest_password_url': reverse('users:reset-password', external=True),
|
2016-09-01 15:09:58 +00:00
|
|
|
'rest_password_token': user.generate_reset_token(),
|
2016-09-06 07:09:00 +00:00
|
|
|
'forget_password_url': reverse('users:forgot-password', external=True),
|
2016-09-01 15:09:58 +00:00
|
|
|
'email': user.email,
|
|
|
|
'login_url': reverse('users:login', external=True),
|
|
|
|
}
|
2017-12-12 04:19:45 +00:00
|
|
|
if settings.DEBUG:
|
2018-01-26 08:06:23 +00:00
|
|
|
try:
|
|
|
|
print(message)
|
|
|
|
except OSError:
|
|
|
|
pass
|
2016-09-01 15:09:58 +00:00
|
|
|
|
|
|
|
send_mail_async.delay(subject, message, recipient_list, html_message=message)
|
|
|
|
|
|
|
|
|
|
|
|
def send_reset_password_mail(user):
|
2016-09-03 16:51:36 +00:00
|
|
|
subject = _('Reset password')
|
2016-09-01 15:09:58 +00:00
|
|
|
recipient_list = [user.email]
|
2016-09-03 16:51:36 +00:00
|
|
|
message = _("""
|
|
|
|
Hello %(name)s:
|
2016-09-01 15:09:58 +00:00
|
|
|
</br>
|
2016-09-03 16:51:36 +00:00
|
|
|
Please click the link below to reset your password, if not your request, concern your account security
|
2016-09-01 15:09:58 +00:00
|
|
|
</br>
|
2016-09-03 16:51:36 +00:00
|
|
|
<a href="%(rest_password_url)s?token=%(rest_password_token)s">Click here reset password</a>
|
2016-09-01 15:09:58 +00:00
|
|
|
</br>
|
2016-11-09 11:29:15 +00:00
|
|
|
This link is valid for 1 hour. After it expires, <a href="%(forget_password_url)s?email=%(email)s">request new one</a>
|
2016-09-01 15:09:58 +00:00
|
|
|
|
|
|
|
</br>
|
|
|
|
---
|
|
|
|
|
|
|
|
</br>
|
2016-09-03 16:51:36 +00:00
|
|
|
<a href="%(login_url)s">Login direct</a>
|
2016-09-01 15:09:58 +00:00
|
|
|
|
|
|
|
</br>
|
2016-09-03 16:51:36 +00:00
|
|
|
""") % {
|
2016-09-01 15:09:58 +00:00
|
|
|
'name': user.name,
|
|
|
|
'rest_password_url': reverse('users:reset-password', external=True),
|
|
|
|
'rest_password_token': user.generate_reset_token(),
|
2016-09-06 07:09:00 +00:00
|
|
|
'forget_password_url': reverse('users:forgot-password', external=True),
|
2016-08-31 17:12:02 +00:00
|
|
|
'email': user.email,
|
|
|
|
'login_url': reverse('users:login', external=True),
|
|
|
|
}
|
2016-09-13 13:45:10 +00:00
|
|
|
if settings.DEBUG:
|
2018-11-22 10:02:12 +00:00
|
|
|
logger.debug(message)
|
|
|
|
|
|
|
|
send_mail_async.delay(subject, message, recipient_list, html_message=message)
|
|
|
|
|
|
|
|
|
|
|
|
def send_password_expiration_reminder_mail(user):
|
|
|
|
subject = _('Security notice')
|
|
|
|
recipient_list = [user.email]
|
|
|
|
message = _("""
|
|
|
|
Hello %(name)s:
|
|
|
|
</br>
|
|
|
|
Your password will expire in %(date_password_expired)s,
|
|
|
|
</br>
|
|
|
|
For your account security, please click on the link below to update your password in time
|
|
|
|
</br>
|
|
|
|
<a href="%(update_password_url)s">Click here update password</a>
|
|
|
|
</br>
|
|
|
|
If your password has expired, please click
|
|
|
|
<a href="%(forget_password_url)s?email=%(email)s">Password expired</a>
|
|
|
|
to apply for a password reset email.
|
|
|
|
|
|
|
|
</br>
|
|
|
|
---
|
|
|
|
|
|
|
|
</br>
|
|
|
|
<a href="%(login_url)s">Login direct</a>
|
|
|
|
|
|
|
|
</br>
|
|
|
|
""") % {
|
|
|
|
'name': user.name,
|
|
|
|
'date_password_expired': datetime.fromtimestamp(datetime.timestamp(
|
|
|
|
user.date_password_expired)).strftime('%Y-%m-%d %H:%M'),
|
|
|
|
'update_password_url': reverse('users:user-password-update', external=True),
|
|
|
|
'forget_password_url': reverse('users:forgot-password', external=True),
|
|
|
|
'email': user.email,
|
|
|
|
'login_url': reverse('users:login', external=True),
|
|
|
|
}
|
|
|
|
if settings.DEBUG:
|
2016-09-13 13:45:10 +00:00
|
|
|
logger.debug(message)
|
2016-08-31 17:12:02 +00:00
|
|
|
|
|
|
|
send_mail_async.delay(subject, message, recipient_list, html_message=message)
|
|
|
|
|
2016-08-30 17:00:20 +00:00
|
|
|
|
2016-09-15 08:54:00 +00:00
|
|
|
def send_reset_ssh_key_mail(user):
|
|
|
|
subject = _('SSH Key Reset')
|
|
|
|
recipient_list = [user.email]
|
|
|
|
message = _("""
|
|
|
|
Hello %(name)s:
|
|
|
|
</br>
|
|
|
|
Your ssh public key has been reset by site administrator.
|
|
|
|
Please login and reset your ssh public key.
|
|
|
|
</br>
|
|
|
|
<a href="%(login_url)s">Login direct</a>
|
|
|
|
|
|
|
|
</br>
|
|
|
|
""") % {
|
|
|
|
'name': user.name,
|
|
|
|
'login_url': reverse('users:login', external=True),
|
|
|
|
}
|
|
|
|
if settings.DEBUG:
|
|
|
|
logger.debug(message)
|
|
|
|
|
|
|
|
send_mail_async.delay(subject, message, recipient_list, html_message=message)
|
|
|
|
|
|
|
|
|
2016-10-31 10:58:23 +00:00
|
|
|
def check_user_valid(**kwargs):
|
2016-09-24 16:11:31 +00:00
|
|
|
password = kwargs.pop('password', None)
|
|
|
|
public_key = kwargs.pop('public_key', None)
|
2016-12-29 11:17:00 +00:00
|
|
|
email = kwargs.pop('email', None)
|
|
|
|
username = kwargs.pop('username', None)
|
2016-12-28 16:29:59 +00:00
|
|
|
|
|
|
|
if username:
|
|
|
|
user = get_object_or_none(User, username=username)
|
|
|
|
elif email:
|
|
|
|
user = get_object_or_none(User, email=email)
|
|
|
|
else:
|
|
|
|
user = None
|
|
|
|
|
|
|
|
if user is None:
|
|
|
|
return None, _('User not exist')
|
|
|
|
elif not user.is_valid:
|
|
|
|
return None, _('Disabled or expired')
|
2016-09-24 16:11:31 +00:00
|
|
|
|
2017-10-10 06:18:08 +00:00
|
|
|
if password and authenticate(username=username, password=password):
|
2016-12-28 16:29:59 +00:00
|
|
|
return user, ''
|
|
|
|
|
2017-01-02 16:11:44 +00:00
|
|
|
if public_key and user.public_key:
|
2016-11-07 08:59:52 +00:00
|
|
|
public_key_saved = user.public_key.split()
|
|
|
|
if len(public_key_saved) == 1:
|
|
|
|
if public_key == public_key_saved[0]:
|
2016-12-28 16:29:59 +00:00
|
|
|
return user, ''
|
2016-11-07 08:59:52 +00:00
|
|
|
elif len(public_key_saved) > 1:
|
|
|
|
if public_key == public_key_saved[1]:
|
2016-12-28 16:29:59 +00:00
|
|
|
return user, ''
|
2016-12-29 11:17:00 +00:00
|
|
|
return None, _('Password or SSH public key invalid')
|
2016-09-24 16:11:31 +00:00
|
|
|
|
|
|
|
|
2017-12-04 12:15:47 +00:00
|
|
|
def validate_ip(ip):
|
|
|
|
try:
|
|
|
|
ipaddress.ip_address(ip)
|
|
|
|
return True
|
|
|
|
except ValueError:
|
|
|
|
pass
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
2018-07-03 09:47:12 +00:00
|
|
|
def write_login_log(*args, **kwargs):
|
|
|
|
ip = kwargs.get('ip', '')
|
2017-12-04 12:15:47 +00:00
|
|
|
if not (ip and validate_ip(ip)):
|
2018-01-16 03:08:05 +00:00
|
|
|
ip = ip[:15]
|
2018-01-16 01:58:33 +00:00
|
|
|
city = "Unknown"
|
|
|
|
else:
|
|
|
|
city = get_ip_city(ip)
|
2018-07-03 09:47:12 +00:00
|
|
|
kwargs.update({'ip': ip, 'city': city})
|
|
|
|
LoginLog.objects.create(**kwargs)
|
2017-12-04 12:15:47 +00:00
|
|
|
|
|
|
|
|
|
|
|
def get_ip_city(ip, timeout=10):
|
2018-07-19 06:14:58 +00:00
|
|
|
# Taobao ip api: http://ip.taobao.com/service/getIpInfo.php?ip=8.8.8.8
|
2017-12-04 12:15:47 +00:00
|
|
|
# Sina ip api: http://int.dpool.sina.com.cn/iplookup/iplookup.php?ip=8.8.8.8&format=json
|
|
|
|
|
2018-07-19 06:14:58 +00:00
|
|
|
url = 'http://ip.taobao.com/service/getIpInfo.php?ip=%s' % ip
|
2017-12-04 12:15:47 +00:00
|
|
|
try:
|
|
|
|
r = requests.get(url, timeout=timeout)
|
2018-03-28 08:47:36 +00:00
|
|
|
except:
|
2017-12-04 12:15:47 +00:00
|
|
|
r = None
|
|
|
|
city = 'Unknown'
|
|
|
|
if r and r.status_code == 200:
|
|
|
|
try:
|
|
|
|
data = r.json()
|
2018-07-19 06:14:58 +00:00
|
|
|
if not isinstance(data, int) and data['code'] == 0:
|
2018-09-03 03:24:25 +00:00
|
|
|
country = data['data']['country']
|
|
|
|
_city = data['data']['city']
|
|
|
|
if country == 'XX':
|
|
|
|
city = _city
|
|
|
|
else:
|
|
|
|
city = ' '.join([country, _city])
|
2017-12-04 12:15:47 +00:00
|
|
|
except ValueError:
|
|
|
|
pass
|
|
|
|
return city
|
2018-04-18 04:48:07 +00:00
|
|
|
|
|
|
|
|
2018-04-19 09:20:53 +00:00
|
|
|
def get_user_or_tmp_user(request):
|
|
|
|
user = request.user
|
|
|
|
tmp_user = get_tmp_user_from_cache(request)
|
|
|
|
if user.is_authenticated:
|
|
|
|
return user
|
|
|
|
elif tmp_user:
|
|
|
|
return tmp_user
|
|
|
|
else:
|
|
|
|
raise Http404("Not found this user")
|
|
|
|
|
|
|
|
|
|
|
|
def get_tmp_user_from_cache(request):
|
|
|
|
if not request.session.session_key:
|
|
|
|
return None
|
|
|
|
user = cache.get(request.session.session_key+'user')
|
2018-04-18 04:48:07 +00:00
|
|
|
return user
|
|
|
|
|
|
|
|
|
2018-04-19 09:20:53 +00:00
|
|
|
def set_tmp_user_to_cache(request, user):
|
|
|
|
cache.set(request.session.session_key+'user', user, 600)
|
2018-04-18 04:48:07 +00:00
|
|
|
|
|
|
|
|
|
|
|
def redirect_user_first_login_or_index(request, redirect_field_name):
|
|
|
|
if request.user.is_first_login:
|
|
|
|
return reverse('users:user-first-login')
|
|
|
|
return request.POST.get(
|
|
|
|
redirect_field_name,
|
|
|
|
request.GET.get(redirect_field_name, reverse('index')))
|
|
|
|
|
|
|
|
|
2018-04-19 03:13:11 +00:00
|
|
|
def generate_otp_uri(request, issuer="Jumpserver"):
|
2018-04-19 09:20:53 +00:00
|
|
|
user = get_user_or_tmp_user(request)
|
2018-04-19 03:13:11 +00:00
|
|
|
otp_secret_key = cache.get(request.session.session_key+'otp_key', '')
|
|
|
|
if not otp_secret_key:
|
|
|
|
otp_secret_key = base64.b32encode(os.urandom(10)).decode('utf-8')
|
|
|
|
cache.set(request.session.session_key+'otp_key', otp_secret_key, 600)
|
2018-04-18 04:48:07 +00:00
|
|
|
totp = pyotp.TOTP(otp_secret_key)
|
2018-09-07 04:40:26 +00:00
|
|
|
return totp.provisioning_uri(name=user.username, issuer_name=issuer), otp_secret_key
|
2018-04-18 04:48:07 +00:00
|
|
|
|
|
|
|
|
|
|
|
def check_otp_code(otp_secret_key, otp_code):
|
2018-09-03 03:24:25 +00:00
|
|
|
if not otp_secret_key or not otp_code:
|
|
|
|
return False
|
2018-04-18 04:48:07 +00:00
|
|
|
totp = pyotp.TOTP(otp_secret_key)
|
|
|
|
return totp.verify(otp_code)
|
2018-06-05 09:26:31 +00:00
|
|
|
|
|
|
|
|
|
|
|
def get_password_check_rules():
|
|
|
|
check_rules = []
|
2018-11-22 04:27:27 +00:00
|
|
|
for rule in settings.SECURITY_PASSWORD_RULES:
|
|
|
|
key = "id_{}".format(rule.lower())
|
|
|
|
value = getattr(settings, rule)
|
|
|
|
if not value:
|
|
|
|
continue
|
|
|
|
check_rules.append({'key': key, 'value': int(value)})
|
|
|
|
return check_rules
|
2018-06-05 09:26:31 +00:00
|
|
|
|
|
|
|
|
|
|
|
def check_password_rules(password):
|
2018-11-22 04:27:27 +00:00
|
|
|
pattern = r"^"
|
|
|
|
if settings.SECURITY_PASSWORD_UPPER_CASE:
|
|
|
|
pattern += '(?=.*[A-Z])'
|
|
|
|
if settings.SECURITY_PASSWORD_LOWER_CASE:
|
|
|
|
pattern += '(?=.*[a-z])'
|
|
|
|
if settings.SECURITY_PASSWORD_NUMBER:
|
|
|
|
pattern += '(?=.*\d)'
|
|
|
|
if settings.SECURITY_PASSWORD_SPECIAL_CHAR:
|
|
|
|
pattern += '(?=.*[`~!@#\$%\^&\*\(\)-=_\+\[\]\{\}\|;:\'\",\.<>\/\?])'
|
|
|
|
pattern += '[a-zA-Z\d`~!@#\$%\^&\*\(\)-=_\+\[\]\{\}\|;:\'\",\.<>\/\?]'
|
|
|
|
pattern += '.{' + str(settings.SECURITY_PASSWORD_MIN_LENGTH-1) + ',}$'
|
2018-06-05 09:26:31 +00:00
|
|
|
match_obj = re.match(pattern, password)
|
|
|
|
return bool(match_obj)
|
2018-07-05 08:23:33 +00:00
|
|
|
|
|
|
|
|
2018-09-03 03:24:25 +00:00
|
|
|
key_prefix_limit = "_LOGIN_LIMIT_{}_{}"
|
|
|
|
key_prefix_block = "_LOGIN_BLOCK_{}"
|
|
|
|
|
|
|
|
|
|
|
|
# def increase_login_failed_count(key_limit, key_block):
|
|
|
|
def increase_login_failed_count(username, ip):
|
|
|
|
key_limit = key_prefix_limit.format(username, ip)
|
2018-07-05 08:23:33 +00:00
|
|
|
count = cache.get(key_limit)
|
|
|
|
count = count + 1 if count else 1
|
|
|
|
|
2018-11-22 04:27:27 +00:00
|
|
|
limit_time = settings.SECURITY_LOGIN_LIMIT_TIME
|
2018-09-03 03:24:25 +00:00
|
|
|
cache.set(key_limit, count, int(limit_time)*60)
|
2018-07-16 04:13:13 +00:00
|
|
|
|
|
|
|
|
2018-09-03 03:24:25 +00:00
|
|
|
def clean_failed_count(username, ip):
|
|
|
|
key_limit = key_prefix_limit.format(username, ip)
|
|
|
|
key_block = key_prefix_block.format(username)
|
|
|
|
cache.delete(key_limit)
|
|
|
|
cache.delete(key_block)
|
2018-07-05 08:23:33 +00:00
|
|
|
|
|
|
|
|
2018-09-03 03:24:25 +00:00
|
|
|
def is_block_login(username, ip):
|
|
|
|
key_limit = key_prefix_limit.format(username, ip)
|
|
|
|
key_block = key_prefix_block.format(username)
|
|
|
|
count = cache.get(key_limit, 0)
|
2018-07-05 08:23:33 +00:00
|
|
|
|
2018-11-22 04:27:27 +00:00
|
|
|
limit_count = settings.SECURITY_LOGIN_LIMIT_COUNT
|
|
|
|
limit_time = settings.SECURITY_LOGIN_LIMIT_TIME
|
2018-07-05 08:23:33 +00:00
|
|
|
|
2018-09-03 03:24:25 +00:00
|
|
|
if count >= limit_count:
|
|
|
|
cache.set(key_block, 1, int(limit_time)*60)
|
2018-07-05 08:23:33 +00:00
|
|
|
if count and count >= limit_count:
|
|
|
|
return True
|
2018-07-16 04:13:13 +00:00
|
|
|
|
|
|
|
|
|
|
|
def is_need_unblock(key_block):
|
|
|
|
if not cache.get(key_block):
|
|
|
|
return False
|
|
|
|
return True
|