jumpserver/apps/users/backends.py

129 lines
4.4 KiB
Python
Raw Normal View History

2016-10-14 16:49:59 +00:00
# -*- coding: utf-8 -*-
#
2016-10-31 10:58:23 +00:00
import base64
from django.core.cache import cache
from django.conf import settings
from django.utils.translation import ugettext as _
2016-10-15 08:04:54 +00:00
from rest_framework import authentication, exceptions, permissions
from rest_framework.compat import is_authenticated
2016-10-14 16:49:59 +00:00
2016-11-01 09:21:16 +00:00
from common.utils import signer, get_object_or_none
2016-10-17 07:24:41 +00:00
from .hands import Terminal
2016-10-31 10:58:23 +00:00
from .models import User
2016-10-14 16:49:59 +00:00
2016-10-17 07:24:41 +00:00
class TerminalAuthentication(authentication.BaseAuthentication):
2016-10-14 16:49:59 +00:00
keyword = 'Sign'
2016-10-17 07:24:41 +00:00
model = Terminal
2016-10-14 16:49:59 +00:00
def authenticate(self, request):
auth = authentication.get_authorization_header(request).split()
if not auth or auth[0].lower() != self.keyword.lower().encode():
return None
if len(auth) == 1:
msg = _('Invalid sign header. No credentials provided.')
raise exceptions.AuthenticationFailed(msg)
elif len(auth) > 2:
msg = _('Invalid sign header. Sign string should not contain spaces.')
raise exceptions.AuthenticationFailed(msg)
try:
sign = auth[1].decode()
except UnicodeError:
msg = _('Invalid token header. Sign string should not contain invalid characters.')
raise exceptions.AuthenticationFailed(msg)
return self.authenticate_credentials(sign)
2016-10-15 08:04:54 +00:00
def authenticate_credentials(self, sign):
2016-11-01 09:21:16 +00:00
name = signer.unsign(sign)
2016-10-17 07:24:41 +00:00
if name:
terminal = get_object_or_none(self.model, name=name)
2016-10-15 08:04:54 +00:00
else:
raise exceptions.AuthenticationFailed(_('Invalid sign.'))
2016-10-14 16:49:59 +00:00
2016-10-24 11:32:53 +00:00
if not terminal or not terminal.is_active:
2016-10-17 07:24:41 +00:00
raise exceptions.AuthenticationFailed(_('Terminal inactive or deleted.'))
terminal.is_authenticated = True
return terminal, None
2016-10-15 08:04:54 +00:00
2016-10-31 10:58:23 +00:00
class AccessTokenAuthentication(authentication.BaseAuthentication):
keyword = 'Token'
model = User
expiration = settings.CONFIG.TOKEN_EXPIRATION or 3600
def authenticate(self, request):
auth = authentication.get_authorization_header(request).split()
if not auth or auth[0].lower() != self.keyword.lower().encode():
return None
if len(auth) == 1:
msg = _('Invalid token header. No credentials provided.')
raise exceptions.AuthenticationFailed(msg)
elif len(auth) > 2:
msg = _('Invalid token header. Sign string should not contain spaces.')
raise exceptions.AuthenticationFailed(msg)
try:
token = auth[1].decode()
except UnicodeError:
msg = _('Invalid token header. Sign string should not contain invalid characters.')
raise exceptions.AuthenticationFailed(msg)
return self.authenticate_credentials(token, request)
def authenticate_credentials(self, token, request):
user_id = cache.get(token)
user = get_object_or_none(User, id=user_id)
if not user:
msg = _('Invalid token')
raise exceptions.AuthenticationFailed(msg)
remote_addr = request.META.get('REMOTE_ADDR', '')
remote_addr = base64.b16encode(remote_addr).replace('=', '')
cache.set(token, user_id, self.expiration)
cache.set('%s_%s' % (user.id, remote_addr), token, self.expiration)
return user, None
2016-10-15 08:04:54 +00:00
class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
"""Allows access to valid user, is active and not expired"""
def has_permission(self, request, view):
return super(IsValidUser, self).has_permission(request, view) \
and request.user.is_valid
2016-10-17 07:24:41 +00:00
class IsTerminalUser(IsValidUser, permissions.BasePermission):
2016-10-15 08:04:54 +00:00
"""Allows access only to app user """
def has_permission(self, request, view):
2016-10-17 07:24:41 +00:00
return super(IsTerminalUser, self).has_permission(request, view) \
and isinstance(request.user, Terminal)
2016-10-15 08:04:54 +00:00
class IsSuperUser(IsValidUser, permissions.BasePermission):
"""Allows access only to superuser"""
def has_permission(self, request, view):
return super(IsSuperUser, self).has_permission(request, view) \
and request.user.is_superuser
2016-10-17 07:24:41 +00:00
class IsSuperUserOrTerminalUser(IsValidUser, permissions.BasePermission):
2016-10-15 08:04:54 +00:00
"""Allows access between superuser and app user"""
def has_permission(self, request, view):
2016-10-17 07:24:41 +00:00
return super(IsSuperUserOrTerminalUser, self).has_permission(request, view) \
and (request.user.is_superuser or request.user.is_terminal)
2016-10-14 16:49:59 +00:00
if __name__ == '__main__':
pass