2016-08-09 09:27:37 +00:00
|
|
|
# ~*~ coding: utf-8 ~*~
|
2018-01-29 08:18:30 +00:00
|
|
|
import uuid
|
|
|
|
|
|
|
|
from django.core.cache import cache
|
2018-04-19 03:13:11 +00:00
|
|
|
from django.urls import reverse
|
2018-07-05 08:23:33 +00:00
|
|
|
from django.utils.translation import ugettext as _
|
2016-08-09 09:27:37 +00:00
|
|
|
|
2017-02-03 05:37:05 +00:00
|
|
|
from rest_framework import generics
|
2018-01-23 02:36:20 +00:00
|
|
|
from rest_framework.permissions import AllowAny, IsAuthenticated
|
2016-09-26 13:22:48 +00:00
|
|
|
from rest_framework.response import Response
|
2016-10-31 10:58:23 +00:00
|
|
|
from rest_framework.views import APIView
|
2016-11-25 14:45:47 +00:00
|
|
|
from rest_framework_bulk import BulkModelViewSet
|
2016-08-23 16:11:13 +00:00
|
|
|
|
2017-12-12 04:19:45 +00:00
|
|
|
from .serializers import UserSerializer, UserGroupSerializer, \
|
|
|
|
UserGroupUpdateMemeberSerializer, UserPKUpdateSerializer, \
|
2018-01-23 02:36:20 +00:00
|
|
|
UserUpdateGroupSerializer, ChangeUserPasswordSerializer
|
2017-12-04 12:15:47 +00:00
|
|
|
from .tasks import write_login_log_async
|
2018-07-03 09:47:12 +00:00
|
|
|
from .models import User, UserGroup, LoginLog
|
2018-07-05 08:23:33 +00:00
|
|
|
from .utils import check_user_valid, generate_token, get_login_ip, \
|
|
|
|
check_otp_code, set_user_login_failed_count_to_cache, is_block_login
|
2018-07-20 09:49:47 +00:00
|
|
|
from orgs.utils import current_org
|
2018-07-23 04:55:13 +00:00
|
|
|
from common.permissions import IsOrgAdmin, IsCurrentUserOrReadOnly, IsOrgAdminOrAppUser
|
2018-02-02 09:06:08 +00:00
|
|
|
from common.mixins import IDInFilterMixin
|
2016-10-15 08:04:54 +00:00
|
|
|
from common.utils import get_logger
|
2016-08-23 16:11:13 +00:00
|
|
|
|
|
|
|
|
2016-10-07 15:54:29 +00:00
|
|
|
logger = get_logger(__name__)
|
2016-08-26 08:56:50 +00:00
|
|
|
|
|
|
|
|
2018-02-02 09:06:08 +00:00
|
|
|
class UserViewSet(IDInFilterMixin, BulkModelViewSet):
|
2017-12-18 10:38:30 +00:00
|
|
|
queryset = User.objects.exclude(role="App")
|
2017-12-12 04:19:45 +00:00
|
|
|
serializer_class = UserSerializer
|
2018-07-23 04:55:13 +00:00
|
|
|
permission_classes = (IsOrgAdmin,)
|
2016-11-25 00:39:24 +00:00
|
|
|
filter_fields = ('username', 'email', 'name', 'id')
|
2016-11-24 09:08:20 +00:00
|
|
|
|
2018-07-13 07:05:46 +00:00
|
|
|
def get_queryset(self):
|
|
|
|
queryset = super().get_queryset()
|
2018-07-20 05:25:50 +00:00
|
|
|
org_users = current_org.get_org_users().values_list('id', flat=True)
|
|
|
|
queryset = queryset.filter(id__in=org_users)
|
2018-07-13 07:05:46 +00:00
|
|
|
return queryset
|
|
|
|
|
2018-04-10 01:41:06 +00:00
|
|
|
def get_permissions(self):
|
|
|
|
if self.action == "retrieve":
|
2018-07-23 04:55:13 +00:00
|
|
|
self.permission_classes = (IsOrgAdminOrAppUser,)
|
2018-04-10 01:41:06 +00:00
|
|
|
return super().get_permissions()
|
|
|
|
|
2016-08-24 09:14:21 +00:00
|
|
|
|
2018-01-23 02:36:20 +00:00
|
|
|
class ChangeUserPasswordApi(generics.RetrieveUpdateAPIView):
|
2018-07-23 04:55:13 +00:00
|
|
|
permission_classes = (IsOrgAdmin,)
|
2018-07-14 16:55:05 +00:00
|
|
|
queryset = User.objects.all()
|
2018-01-23 02:36:20 +00:00
|
|
|
serializer_class = ChangeUserPasswordSerializer
|
|
|
|
|
|
|
|
def perform_update(self, serializer):
|
|
|
|
user = self.get_object()
|
|
|
|
user.password_raw = serializer.validated_data["password"]
|
|
|
|
user.save()
|
|
|
|
|
|
|
|
|
2016-11-14 16:48:48 +00:00
|
|
|
class UserUpdateGroupApi(generics.RetrieveUpdateAPIView):
|
2018-07-14 16:55:05 +00:00
|
|
|
queryset = User.objects.all()
|
2017-12-12 04:19:45 +00:00
|
|
|
serializer_class = UserUpdateGroupSerializer
|
2018-07-23 04:55:13 +00:00
|
|
|
permission_classes = (IsOrgAdmin,)
|
2016-09-13 13:45:10 +00:00
|
|
|
|
|
|
|
|
|
|
|
class UserResetPasswordApi(generics.UpdateAPIView):
|
2018-07-14 16:55:05 +00:00
|
|
|
queryset = User.objects.all()
|
2017-12-12 04:19:45 +00:00
|
|
|
serializer_class = UserSerializer
|
2018-01-23 02:36:20 +00:00
|
|
|
permission_classes = (IsAuthenticated,)
|
2016-09-13 13:45:10 +00:00
|
|
|
|
|
|
|
def perform_update(self, serializer):
|
|
|
|
# Note: we are not updating the user object here.
|
2017-02-03 05:37:05 +00:00
|
|
|
# We just do the reset-password stuff.
|
2016-11-09 11:29:15 +00:00
|
|
|
from .utils import send_reset_password_mail
|
|
|
|
user = self.get_object()
|
2016-09-15 08:54:00 +00:00
|
|
|
user.password_raw = str(uuid.uuid4())
|
|
|
|
user.save()
|
2016-09-13 13:45:10 +00:00
|
|
|
send_reset_password_mail(user)
|
|
|
|
|
|
|
|
|
2016-11-09 15:49:10 +00:00
|
|
|
class UserResetPKApi(generics.UpdateAPIView):
|
2018-07-14 16:55:05 +00:00
|
|
|
queryset = User.objects.all()
|
2017-12-12 04:19:45 +00:00
|
|
|
serializer_class = UserSerializer
|
2018-04-10 01:41:06 +00:00
|
|
|
permission_classes = (IsAuthenticated,)
|
2016-09-13 13:45:10 +00:00
|
|
|
|
|
|
|
def perform_update(self, serializer):
|
2016-11-09 11:29:15 +00:00
|
|
|
from .utils import send_reset_ssh_key_mail
|
2016-09-13 13:45:10 +00:00
|
|
|
user = self.get_object()
|
2016-09-18 06:28:34 +00:00
|
|
|
user.is_public_key_valid = False
|
2016-09-13 13:45:10 +00:00
|
|
|
user.save()
|
2016-09-15 08:54:00 +00:00
|
|
|
send_reset_ssh_key_mail(user)
|
2016-09-18 06:28:34 +00:00
|
|
|
|
2016-11-09 15:49:10 +00:00
|
|
|
|
|
|
|
class UserUpdatePKApi(generics.UpdateAPIView):
|
2018-07-14 16:55:05 +00:00
|
|
|
queryset = User.objects.all()
|
2017-12-12 04:19:45 +00:00
|
|
|
serializer_class = UserPKUpdateSerializer
|
2017-02-03 05:37:05 +00:00
|
|
|
permission_classes = (IsCurrentUserOrReadOnly,)
|
2016-11-09 15:49:10 +00:00
|
|
|
|
|
|
|
def perform_update(self, serializer):
|
|
|
|
user = self.get_object()
|
|
|
|
user.public_key = serializer.validated_data['_public_key']
|
|
|
|
user.save()
|
|
|
|
|
2016-11-14 16:48:48 +00:00
|
|
|
|
2018-07-13 11:30:48 +00:00
|
|
|
class UserUnblockPKApi(generics.UpdateAPIView):
|
|
|
|
queryset = User.objects.all()
|
2018-07-25 10:21:37 +00:00
|
|
|
permission_classes = (IsOrgAdmin,)
|
2018-07-13 11:30:48 +00:00
|
|
|
serializer_class = UserSerializer
|
|
|
|
key_prefix_limit = "_LOGIN_LIMIT_{}_{}"
|
2018-07-16 04:13:13 +00:00
|
|
|
key_prefix_block = "_LOGIN_BLOCK_{}"
|
2018-07-13 11:30:48 +00:00
|
|
|
|
|
|
|
def perform_update(self, serializer):
|
|
|
|
user = self.get_object()
|
|
|
|
username = user.username if user else ''
|
|
|
|
key_limit = self.key_prefix_limit.format(username, '*')
|
2018-07-16 04:13:13 +00:00
|
|
|
key_block = self.key_prefix_block.format(username)
|
2018-07-13 11:30:48 +00:00
|
|
|
cache.delete_pattern(key_limit)
|
2018-07-16 04:13:13 +00:00
|
|
|
cache.delete(key_block)
|
2018-07-13 11:30:48 +00:00
|
|
|
|
|
|
|
|
2018-02-02 09:06:08 +00:00
|
|
|
class UserGroupViewSet(IDInFilterMixin, BulkModelViewSet):
|
2018-07-14 16:55:05 +00:00
|
|
|
queryset = UserGroup.objects.all()
|
2017-12-12 04:19:45 +00:00
|
|
|
serializer_class = UserGroupSerializer
|
2018-07-23 04:55:13 +00:00
|
|
|
permission_classes = (IsOrgAdmin,)
|
2016-11-14 16:48:48 +00:00
|
|
|
|
|
|
|
|
|
|
|
class UserGroupUpdateUserApi(generics.RetrieveUpdateAPIView):
|
2018-07-14 16:55:05 +00:00
|
|
|
queryset = UserGroup.objects.all()
|
2017-12-12 04:19:45 +00:00
|
|
|
serializer_class = UserGroupUpdateMemeberSerializer
|
2018-07-23 04:55:13 +00:00
|
|
|
permission_classes = (IsOrgAdmin,)
|
2016-11-14 16:48:48 +00:00
|
|
|
|
2016-10-15 09:14:56 +00:00
|
|
|
|
2016-12-16 11:32:05 +00:00
|
|
|
class UserToken(APIView):
|
2016-12-28 16:29:59 +00:00
|
|
|
permission_classes = (AllowAny,)
|
2016-12-16 11:32:05 +00:00
|
|
|
|
2016-12-28 16:29:59 +00:00
|
|
|
def post(self, request):
|
2017-06-02 09:15:59 +00:00
|
|
|
if not request.user.is_authenticated:
|
2017-01-10 10:03:00 +00:00
|
|
|
username = request.data.get('username', '')
|
|
|
|
email = request.data.get('email', '')
|
|
|
|
password = request.data.get('password', '')
|
|
|
|
public_key = request.data.get('public_key', '')
|
|
|
|
|
2017-01-17 08:34:47 +00:00
|
|
|
user, msg = check_user_valid(
|
|
|
|
username=username, email=email,
|
|
|
|
password=password, public_key=public_key)
|
2017-01-10 10:03:00 +00:00
|
|
|
else:
|
|
|
|
user = request.user
|
|
|
|
msg = None
|
2016-12-28 16:29:59 +00:00
|
|
|
if user:
|
2016-12-29 11:17:00 +00:00
|
|
|
token = generate_token(request, user)
|
2017-01-10 10:03:00 +00:00
|
|
|
return Response({'Token': token, 'Keyword': 'Bearer'}, status=200)
|
2016-12-28 16:29:59 +00:00
|
|
|
else:
|
|
|
|
return Response({'error': msg}, status=406)
|
2016-12-16 11:32:05 +00:00
|
|
|
|
|
|
|
|
2018-06-26 14:13:39 +00:00
|
|
|
class UserProfile(generics.RetrieveAPIView):
|
|
|
|
permission_classes = (IsAuthenticated,)
|
2018-04-18 04:48:07 +00:00
|
|
|
serializer_class = UserSerializer
|
2016-12-16 11:32:05 +00:00
|
|
|
|
2018-06-26 14:13:39 +00:00
|
|
|
def get_object(self):
|
|
|
|
return self.request.user
|
2017-01-17 08:34:47 +00:00
|
|
|
|
2016-12-16 11:32:05 +00:00
|
|
|
|
2018-04-19 03:13:11 +00:00
|
|
|
class UserOtpAuthApi(APIView):
|
2016-12-29 11:17:00 +00:00
|
|
|
permission_classes = (AllowAny,)
|
2018-04-18 04:48:07 +00:00
|
|
|
serializer_class = UserSerializer
|
2016-10-31 10:58:23 +00:00
|
|
|
|
2017-01-17 08:34:47 +00:00
|
|
|
def post(self, request):
|
2018-04-19 03:13:11 +00:00
|
|
|
otp_code = request.data.get('otp_code', '')
|
|
|
|
seed = request.data.get('seed', '')
|
|
|
|
|
|
|
|
user = cache.get(seed, None)
|
|
|
|
if not user:
|
|
|
|
return Response({'msg': '请先进行用户名和密码验证'}, status=401)
|
|
|
|
|
|
|
|
if not check_otp_code(user.otp_secret_key, otp_code):
|
2018-07-04 02:57:37 +00:00
|
|
|
data = {
|
2018-07-03 09:47:12 +00:00
|
|
|
'username': user.username,
|
|
|
|
'mfa': int(user.otp_enabled),
|
|
|
|
'reason': LoginLog.REASON_MFA,
|
|
|
|
'status': False
|
|
|
|
}
|
2018-07-04 02:57:37 +00:00
|
|
|
self.write_login_log(request, data)
|
2018-04-20 03:51:32 +00:00
|
|
|
return Response({'msg': 'MFA认证失败'}, status=401)
|
2018-04-19 03:13:11 +00:00
|
|
|
|
2018-07-04 02:57:37 +00:00
|
|
|
data = {
|
2018-07-03 09:47:12 +00:00
|
|
|
'username': user.username,
|
|
|
|
'mfa': int(user.otp_enabled),
|
|
|
|
'reason': LoginLog.REASON_NOTHING,
|
|
|
|
'status': True
|
|
|
|
}
|
2018-07-04 02:57:37 +00:00
|
|
|
self.write_login_log(request, data)
|
2018-04-19 03:13:11 +00:00
|
|
|
token = generate_token(request, user)
|
|
|
|
return Response(
|
|
|
|
{
|
|
|
|
'token': token,
|
|
|
|
'user': self.serializer_class(user).data
|
|
|
|
}
|
|
|
|
)
|
2018-04-18 04:48:07 +00:00
|
|
|
|
2018-04-19 03:13:11 +00:00
|
|
|
@staticmethod
|
2018-07-04 02:57:37 +00:00
|
|
|
def write_login_log(request, data):
|
2018-04-19 03:13:11 +00:00
|
|
|
login_ip = request.data.get('remote_addr', None)
|
|
|
|
login_type = request.data.get('login_type', '')
|
|
|
|
user_agent = request.data.get('HTTP_USER_AGENT', '')
|
|
|
|
|
|
|
|
if not login_ip:
|
|
|
|
login_ip = get_login_ip(request)
|
2018-04-18 04:48:07 +00:00
|
|
|
|
2018-07-04 02:57:37 +00:00
|
|
|
tmp_data = {
|
2018-07-03 09:47:12 +00:00
|
|
|
'ip': login_ip,
|
|
|
|
'type': login_type,
|
|
|
|
'user_agent': user_agent
|
|
|
|
}
|
2018-07-04 02:57:37 +00:00
|
|
|
data.update(tmp_data)
|
|
|
|
write_login_log_async.delay(**data)
|
2018-04-19 03:13:11 +00:00
|
|
|
|
|
|
|
|
|
|
|
class UserAuthApi(APIView):
|
|
|
|
permission_classes = (AllowAny,)
|
|
|
|
serializer_class = UserSerializer
|
2018-07-05 08:23:33 +00:00
|
|
|
key_prefix_limit = "_LOGIN_LIMIT_{}_{}"
|
2018-07-16 04:13:13 +00:00
|
|
|
key_prefix_block = "_LOGIN_BLOCK_{}"
|
2018-04-19 03:13:11 +00:00
|
|
|
|
|
|
|
def post(self, request):
|
2018-07-05 09:07:03 +00:00
|
|
|
# limit login
|
2018-07-05 08:23:33 +00:00
|
|
|
username = request.data.get('username')
|
|
|
|
ip = request.data.get('remote_addr', None)
|
2018-07-05 09:07:03 +00:00
|
|
|
ip = ip if ip else get_login_ip(request)
|
2018-07-13 11:30:48 +00:00
|
|
|
key_limit = self.key_prefix_limit.format(username, ip)
|
2018-07-16 04:13:13 +00:00
|
|
|
key_block = self.key_prefix_block.format(username)
|
2018-07-05 08:23:33 +00:00
|
|
|
if is_block_login(key_limit):
|
|
|
|
msg = _("Log in frequently and try again later")
|
|
|
|
return Response({'msg': msg}, status=401)
|
|
|
|
|
2018-07-05 09:07:03 +00:00
|
|
|
user, msg = self.check_user_valid(request)
|
2018-04-19 03:13:11 +00:00
|
|
|
if not user:
|
2018-07-04 02:57:37 +00:00
|
|
|
data = {
|
2018-07-03 09:47:12 +00:00
|
|
|
'username': request.data.get('username', ''),
|
|
|
|
'mfa': LoginLog.MFA_UNKNOWN,
|
|
|
|
'reason': LoginLog.REASON_PASSWORD,
|
|
|
|
'status': False
|
|
|
|
}
|
2018-07-04 02:57:37 +00:00
|
|
|
self.write_login_log(request, data)
|
2018-07-05 08:23:33 +00:00
|
|
|
|
2018-07-16 04:13:13 +00:00
|
|
|
set_user_login_failed_count_to_cache(key_limit, key_block)
|
2018-04-18 04:48:07 +00:00
|
|
|
return Response({'msg': msg}, status=401)
|
|
|
|
|
2018-04-19 03:13:11 +00:00
|
|
|
if not user.otp_enabled:
|
2018-07-04 02:57:37 +00:00
|
|
|
data = {
|
2018-07-03 09:47:12 +00:00
|
|
|
'username': user.username,
|
|
|
|
'mfa': int(user.otp_enabled),
|
|
|
|
'reason': LoginLog.REASON_NOTHING,
|
|
|
|
'status': True
|
|
|
|
}
|
2018-07-04 02:57:37 +00:00
|
|
|
self.write_login_log(request, data)
|
2018-04-18 04:48:07 +00:00
|
|
|
token = generate_token(request, user)
|
2018-04-19 03:13:11 +00:00
|
|
|
return Response(
|
|
|
|
{
|
|
|
|
'token': token,
|
|
|
|
'user': self.serializer_class(user).data
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
seed = uuid.uuid4().hex
|
|
|
|
cache.set(seed, user, 300)
|
|
|
|
return Response(
|
|
|
|
{
|
|
|
|
'code': 101,
|
2018-04-20 03:51:32 +00:00
|
|
|
'msg': '请携带seed值,进行MFA二次认证',
|
2018-04-19 03:13:11 +00:00
|
|
|
'otp_url': reverse('api-users:user-otp-auth'),
|
|
|
|
'seed': seed,
|
|
|
|
'user': self.serializer_class(user).data
|
2018-07-03 09:47:12 +00:00
|
|
|
}, status=300
|
|
|
|
)
|
2018-04-18 04:48:07 +00:00
|
|
|
|
|
|
|
@staticmethod
|
|
|
|
def check_user_valid(request):
|
2016-10-31 10:58:23 +00:00
|
|
|
username = request.data.get('username', '')
|
|
|
|
password = request.data.get('password', '')
|
|
|
|
public_key = request.data.get('public_key', '')
|
2018-04-18 04:48:07 +00:00
|
|
|
user, msg = check_user_valid(
|
|
|
|
username=username, password=password,
|
|
|
|
public_key=public_key
|
|
|
|
)
|
|
|
|
return user, msg
|
|
|
|
|
|
|
|
@staticmethod
|
2018-07-04 02:57:37 +00:00
|
|
|
def write_login_log(request, data):
|
2017-01-17 08:34:47 +00:00
|
|
|
login_ip = request.data.get('remote_addr', None)
|
2018-04-18 04:48:07 +00:00
|
|
|
login_type = request.data.get('login_type', '')
|
2016-12-29 11:17:00 +00:00
|
|
|
user_agent = request.data.get('HTTP_USER_AGENT', '')
|
|
|
|
|
2017-11-14 01:44:16 +00:00
|
|
|
if not login_ip:
|
2018-04-18 04:48:07 +00:00
|
|
|
login_ip = get_login_ip(request)
|
2018-03-04 05:01:33 +00:00
|
|
|
|
2018-07-04 02:57:37 +00:00
|
|
|
tmp_data = {
|
2018-07-03 09:47:12 +00:00
|
|
|
'ip': login_ip,
|
|
|
|
'type': login_type,
|
|
|
|
'user_agent': user_agent,
|
|
|
|
}
|
2018-07-04 02:57:37 +00:00
|
|
|
data.update(tmp_data)
|
2018-07-03 09:47:12 +00:00
|
|
|
|
2018-07-04 02:57:37 +00:00
|
|
|
write_login_log_async.delay(**data)
|
2016-11-09 11:29:15 +00:00
|
|
|
|
2018-01-29 08:18:30 +00:00
|
|
|
|
|
|
|
class UserConnectionTokenApi(APIView):
|
2018-07-23 04:55:13 +00:00
|
|
|
permission_classes = (IsOrgAdminOrAppUser,)
|
2018-01-29 08:18:30 +00:00
|
|
|
|
|
|
|
def post(self, request):
|
|
|
|
user_id = request.data.get('user', '')
|
|
|
|
asset_id = request.data.get('asset', '')
|
|
|
|
system_user_id = request.data.get('system_user', '')
|
|
|
|
token = str(uuid.uuid4())
|
|
|
|
value = {
|
|
|
|
'user': user_id,
|
|
|
|
'asset': asset_id,
|
|
|
|
'system_user': system_user_id
|
|
|
|
}
|
2018-03-12 12:29:27 +00:00
|
|
|
cache.set(token, value, timeout=20)
|
2018-01-29 08:18:30 +00:00
|
|
|
return Response({"token": token}, status=201)
|
|
|
|
|
|
|
|
def get(self, request):
|
|
|
|
token = request.query_params.get('token')
|
2018-03-12 11:39:27 +00:00
|
|
|
user_only = request.query_params.get('user-only', None)
|
2018-01-29 08:18:30 +00:00
|
|
|
value = cache.get(token, None)
|
|
|
|
|
2018-03-12 11:39:27 +00:00
|
|
|
if not value:
|
|
|
|
return Response('', status=404)
|
2018-01-29 08:18:30 +00:00
|
|
|
|
2018-03-12 11:39:27 +00:00
|
|
|
if not user_only:
|
|
|
|
return Response(value)
|
|
|
|
else:
|
|
|
|
return Response({'user': value['user']})
|
2018-01-29 08:18:30 +00:00
|
|
|
|
2018-03-12 11:39:27 +00:00
|
|
|
def get_permissions(self):
|
|
|
|
if self.request.query_params.get('user-only', None):
|
|
|
|
self.permission_classes = (AllowAny,)
|
|
|
|
return super().get_permissions()
|