jumpserver/apps/users/signal_handlers.py

272 lines
9.1 KiB
Python
Raw Normal View History

2018-02-27 04:18:36 +00:00
# -*- coding: utf-8 -*-
#
2023-09-13 08:52:11 +00:00
from celery import shared_task
from django.conf import settings
2023-09-13 08:52:11 +00:00
from django.contrib.auth.signals import user_logged_out
from django.db.models.signals import post_save
2023-02-08 02:14:09 +00:00
from django.dispatch import receiver
2023-07-24 03:52:25 +00:00
from django.utils.translation import gettext_lazy as _
2023-02-08 02:14:09 +00:00
from django_auth_ldap.backend import populate_user
from django_cas_ng.signals import cas_user_authenticated
2018-02-27 04:18:36 +00:00
2023-09-15 09:15:15 +00:00
from audits.models import UserSession
2023-02-08 02:14:09 +00:00
from authentication.backends.oauth2.signals import oauth2_create_or_update_user
from authentication.backends.oidc.signals import openid_create_or_update_user
from authentication.backends.radius.signals import radius_create_user
from authentication.backends.saml2.signals import saml2_create_or_update_user
2024-03-12 11:33:26 +00:00
from common.const.crontab import CRONTAB_AT_AM_TWO
2023-02-08 02:14:09 +00:00
from common.decorators import on_transaction_commit
2024-03-12 11:33:26 +00:00
from common.sessions.cache import user_session_manager
2024-03-11 06:33:14 +00:00
from common.signals import django_ready
2018-02-27 04:18:36 +00:00
from common.utils import get_logger
from jumpserver.utils import get_current_request
2023-09-13 08:52:11 +00:00
from ops.celery.decorator import register_as_period_task
from orgs.models import Organization
from orgs.utils import tmp_to_root_org
from rbac.builtin import BuiltinRole
from rbac.const import Scope
from rbac.models import RoleBinding
2024-03-11 06:33:14 +00:00
from settings.signals import setting_changed
from .models import User, UserPasswordHistory, UserGroup
2023-02-08 02:14:09 +00:00
from .signals import post_user_create
2018-02-27 04:18:36 +00:00
logger = get_logger(__file__)
def check_only_allow_exist_user_auth(created):
if created and settings.ONLY_ALLOW_EXIST_USER_AUTH:
request = get_current_request()
request.user_need_delete = True
request.error_message = _(
'''The administrator has enabled "Only allow existing users to log in",
and the current user is not in the user list. Please contact the administrator.'''
)
return False
return True
def user_authenticated_handle(user, created, source, attrs=None, **kwargs):
if not check_only_allow_exist_user_auth(created):
return
if created:
user.source = source
user.save()
org_ids = bind_user_to_org_role(user)
group_names = attrs.get('groups')
bind_user_to_group(org_ids, group_names, user)
if not attrs:
return
always_update = getattr(settings, 'AUTH_%s_ALWAYS_UPDATE_USER' % source.upper(), False)
if not created and always_update:
attr_whitelist = ('user', 'username', 'email', 'phone', 'comment')
logger.debug(
"Receive {} user updated signal: {}, "
"Update user info: {},"
"(Update only properties in the whitelist. [{}])"
"".format(source, user, str(attrs), ','.join(attr_whitelist))
)
for key, value in attrs.items():
if key in attr_whitelist and value:
setattr(user, key, value)
user.save()
@receiver(post_save, sender=User)
def save_passwd_change(sender, instance: User, **kwargs):
if instance.source != User.Source.local.value or not instance.password:
return
2023-02-08 02:14:09 +00:00
passwords = UserPasswordHistory.objects \
.filter(user=instance) \
.order_by('-date_created') \
.values_list('password', flat=True)[:settings.OLD_PASSWORD_HISTORY_LIMIT_COUNT]
if instance.password not in list(passwords):
UserPasswordHistory.objects.create(
user=instance, password=instance.password,
date_created=instance.date_password_last_updated
)
2022-03-21 10:06:33 +00:00
def update_role_superuser_if_need(user):
if not user._update_superuser:
return
value = user._is_superuser
if value:
user.system_roles.add_role_system_admin()
else:
user.system_roles.remove_role_system_admin()
@receiver(post_save, sender=User)
@on_transaction_commit
def on_user_create_set_default_system_role(sender, instance, created, **kwargs):
2022-03-21 10:06:33 +00:00
update_role_superuser_if_need(instance)
if not created:
return
has_system_role = instance.system_roles.all().exists()
if not has_system_role:
logger.debug("Receive user create signal, set default role")
instance.system_roles.add_role_system_user()
2018-04-03 08:28:58 +00:00
@receiver(post_user_create)
def on_user_create(sender, user=None, **kwargs):
logger.debug("Receive user `{}` create signal".format(user.name))
from .utils import send_user_created_mail
logger.info(" - Sending welcome mail ...".format(user.name))
request = get_current_request()
password_strategy = getattr(request, 'password_strategy', '')
if user.can_send_created_mail() and password_strategy == 'email':
2018-04-03 08:28:58 +00:00
send_user_created_mail(user)
1.5.7 Merge to dev (#3766) * [Update] 暂存,优化解决不了问题 * [Update] 待续(小白) * [Update] 修改asset user * [Update] 计划再次更改 * [Update] 修改asset user * [Update] 暂存与喜爱 * [Update] Add id in * [Update] 阶段性完成ops task该做 * [Update] 修改asset user api * [Update] 修改asset user 任务,查看认证等 * [Update] 基本完成asset user改造 * [Update] dynamic user only allow 1 * [Update] 修改asset user task * [Update] 修改node admin user task api * [Update] remove file header license * [Update] 添加sftp root * [Update] 暂存 * [Update] 暂存 * [Update] 修改翻译 * [Update] 修改系统用户改为同名后,用户名改为空 * [Update] 基本完成CAS调研 * [Update] 支持cas server * [Update] 支持cas server * [Update] 添加requirements * [Update] 为方便调试添加mysql ipython到包中 * [Update] 添加huaweiyun翻译 * [Update] 增加下载session 录像 * [Update] 只有第一次通知replay离线的使用方法 * [Update] 暂存一下 * [Bugfix] 获取系统用户信息报错 * [Bugfix] 修改system user info * [Update] 改成清理10天git status * [Update] 修改celery日志保留时间 * [Update]修复部分pip包依赖的版本不兼容问题 (#3672) * [Update] 修复用户更新页面会清空用户public_key的问题 * Fix broken dependencies Co-authored-by: BaiJiangJie <32935519+BaiJiangJie@users.noreply.github.com> * [Update] 修改获取系统用户auth info * [Update] Remove log * [Bugfix] 修复sftp home设置的bug * [Update] 授权的系统用户添加sftp root * [Update] 修改系统用户关联的用户 * [Update] 修改placeholder * [Update] 优化获取授权的系统用户 * [Update] 修改tasks * [Update] tree service update * [Update] 暂存 * [Update] 基本完成用户授权树和资产树改造 * [Update] Dashbaord perf * [update] Add huawei cloud sdk requirements * [Updte] 优化dashboard页面 * [Update] system user auth info 添加id * [Update] 修改系统用户serializer * [Update] 优化api * [Update] LDAP Test Util (#3720) * [Update] LDAPTestUtil 1 * [Update] LDAPTestUtil 2 * [Update] LDAPTestUtil 3 * [Update] LDAPTestUtil 4 * [Update] LDAPTestUtil 5 * [Update] LDAPTestUtil 6 * [Update] LDAPTestUtil 7 * [Update] session 已添加is success,并且添加display serializer * [Bugfix] 修复无法删除空节点的bug * [Update] 命令记录分组织显示 * [Update] Session is_success 添加迁移文件 * [Update] 批量命令添加org_id * [Update] 修复一些文案,修改不绑定MFA,不能ssh登录 * [Update] 修改replay api, 返回session信息 * [Update] 解决无效es导致访问命令记录页面失败的问题 * [Update] 拆分profile view * [Update] 修改一个翻译 * [Update] 修改aysnc api框架 * [Update] 命令列表添加risk level * [Update] 完成录像打包下载 * [Update] 更改登陆otp页面 * [Update] 修改command 存储redis_level * [Update] 修改翻译 * [Update] 修改系统用户的用户列表字段 * [Update] 使用新logo和统一Jumpserver为JumpServer * [Update] 优化cloud task * [Update] 统一period task * [Update] 统一period form serializer字段 * [Update] 修改period task * [Update] 修改资产网关信息 * [Update] 用户授权资产树资产信息添加domain * [Update] 修改翻译 * [Update] 测试可连接性 * 1.5.7 bai (#3764) * [Update] 修复index页面Bug;修复测试资产用户可连接性问题; * [Update] 修改测试资产用户可连接 * [Bugfix] 修复backends问题 * [Update] 修改marksafe依赖版本 * [Update] 修改测试资产用户可连接性 * [Update] 修改检测服务器性能时获取percent值 * [Update] 更新依赖boto3=1.12.14 Co-authored-by: Yanzhe Lee <lee.yanzhe@yanzhe.org> Co-authored-by: BaiJiangJie <32935519+BaiJiangJie@users.noreply.github.com> Co-authored-by: Bai <bugatti_it@163.com>
2020-03-12 08:24:38 +00:00
@receiver(cas_user_authenticated)
def on_cas_user_authenticated(sender, user, created, **kwargs):
source = user.Source.cas.value
user_authenticated_handle(user, created, source)
@receiver(saml2_create_or_update_user)
def on_saml2_create_or_update_user(sender, user, created, attrs, **kwargs):
source = user.Source.saml2.value
user_authenticated_handle(user, created, source, attrs, **kwargs)
@receiver(oauth2_create_or_update_user)
def on_oauth2_create_or_update_user(sender, user, created, attrs, **kwargs):
source = user.Source.oauth2.value
user_authenticated_handle(user, created, source, attrs, **kwargs)
@receiver(radius_create_user)
def radius_create_user(sender, user, **kwargs):
user.source = user.Source.radius.value
user.save()
bind_user_to_org_role(user)
2020-04-28 14:29:56 +00:00
@receiver(openid_create_or_update_user)
def on_openid_create_or_update_user(sender, request, user, created, attrs, **kwargs):
if not check_only_allow_exist_user_auth(created):
return
if created:
logger.debug(
"Receive OpenID user created signal: {}, "
"Set user source is: {}".format(user, User.Source.openid.value)
)
user.source = User.Source.openid.value
user.save()
org_ids = bind_user_to_org_role(user)
group_names = attrs.get('groups')
bind_user_to_group(org_ids, group_names, user)
name = attrs.get('name')
username = attrs.get('username')
email = attrs.get('email')
if not created and settings.AUTH_OPENID_ALWAYS_UPDATE_USER:
logger.debug(
"Receive OpenID user updated signal: {}, "
"Update user info: {}"
"".format(user, "name: {}|username: {}|email: {}".format(name, username, email))
)
user.name = name
user.username = username
user.email = email
user.save()
2023-09-13 08:52:11 +00:00
@receiver(populate_user)
def on_ldap_create_user(sender, user, ldap_user, **kwargs):
if user and user.username not in ['admin']:
exists = User.objects.filter(username=user.username).exists()
if not exists:
user.source = user.Source.ldap.value
user.save()
@shared_task(verbose_name=_('Clean up expired user sessions'))
2024-03-12 11:33:26 +00:00
@register_as_period_task(crontab=CRONTAB_AT_AM_TWO)
def clean_expired_user_session_period():
2023-09-13 08:52:11 +00:00
UserSession.clear_expired_sessions()
@receiver(user_logged_out)
def user_logged_out_callback(sender, request, user, **kwargs):
session_key = request.session.session_key
2024-03-12 11:33:26 +00:00
user_session_manager.remove(session_key)
2023-09-13 08:52:11 +00:00
UserSession.objects.filter(key=session_key).delete()
2024-03-11 06:33:14 +00:00
@receiver(setting_changed)
@on_transaction_commit
def on_auth_setting_changed_clear_source_choice(sender, name='', **kwargs):
if name.startswith('AUTH_'):
User._source_choices = []
@receiver(django_ready)
def on_django_ready_refresh_source(sender, **kwargs):
User._source_choices = []
def bind_user_to_org_role(user):
source = user.source.upper()
org_ids = getattr(settings, f"{source}_ORG_IDS", None)
if not org_ids:
logger.error(f"User {user} has no {source} orgs")
return
org_role_ids = [BuiltinRole.org_user.id]
bindings = [
RoleBinding(
user=user, org_id=org_id, scope=Scope.org,
role_id=role_id,
)
for role_id in org_role_ids
for org_id in org_ids
]
RoleBinding.objects.bulk_create(bindings, ignore_conflicts=True)
return org_ids
def bind_user_to_group(org_ids, group_names, user):
if not isinstance(group_names, list):
return
org_ids = org_ids or [Organization.DEFAULT_ID]
with tmp_to_root_org():
existing_groups = UserGroup.objects.filter(org_id__in=org_ids).values_list('org_id', 'name')
org_groups_map = {}
for org_id, group_name in existing_groups:
org_groups_map.setdefault(org_id, []).append(group_name)
groups_to_create = []
for org_id in org_ids:
existing_group_names = set(org_groups_map.get(org_id, []))
new_group_names = set(group_names) - existing_group_names
groups_to_create.extend(
UserGroup(org_id=org_id, name=name) for name in new_group_names
)
UserGroup.objects.bulk_create(groups_to_create)
user_groups = UserGroup.objects.filter(org_id__in=org_ids, name__in=group_names)
user_group_links = [
User.groups.through(user_id=user.id, usergroup_id=group.id)
for group in user_groups
]
if user_group_links:
User.groups.through.objects.bulk_create(user_group_links)