[Update] 支持radius认证 (#2323)

* [Update] 支持radius认证

* [Update] 支持radius

* [Update] 增加requirements

* [Update] 修改copyright

* [Update] 修改migrations

Dockerfile

@@ -12,7 +12,7 @@ RUN yum -y install epel-release && cd /tmp/requirements && \
 RUN cd /tmp/requirements &&  pip install -r requirements.txt
 
 COPY . /opt/jumpserver
-COPY config_docker.py /opt/jumpserver/config.py
+COPY config_example.yml /opt/jumpserver/config.yml
 VOLUME /opt/jumpserver/data
 VOLUME /opt/jumpserver/logs
 

apps/authentication/radius/__init__.py

@@ -0,0 +1,2 @@
+# -*- coding: utf-8 -*-
+#

apps/authentication/radius/backends.py

@@ -0,0 +1,34 @@
+# -*- coding: utf-8 -*-
+#
+
+from django.contrib.auth import get_user_model
+from radiusauth.backends import RADIUSBackend, RADIUSRealmBackend
+from django.conf import settings
+
+User = get_user_model()
+
+
+class CreateUserMixin:
+    def get_django_user(self, username, password=None):
+        if isinstance(username, bytes):
+            username = username.decode()
+        try:
+            user = User.objects.get(username=username)
+        except User.DoesNotExist:
+            if '@' in username:
+                email = username
+            else:
+                email_suffix = settings.EMAIL_SUFFIX
+                email = '{}@{}'.format(username, email_suffix)
+            user = User(username=username, name=username, email=email)
+            user.source = user.SOURCE_RADIUS
+            user.save()
+        return user
+
+
+class RadiusBackend(CreateUserMixin, RADIUSBackend):
+    pass
+
+
+class RadiusRealmBackend(CreateUserMixin, RADIUSRealmBackend):
+    pass

apps/jumpserver/conf.py

@@ -331,6 +331,10 @@ defaults = {
     'SECURITY_PASSWORD_LOWER_CASE': False,
     'SECURITY_PASSWORD_NUMBER': False,
     'SECURITY_PASSWORD_SPECIAL_CHAR': False,
+    'AUTH_RADIUS': False,
+    'RADIUS_SERVER': 'localhost',
+    'RADIUS_PORT': 1812,
+    'RADIUS_SECRET': '',
     'HTTP_BIND_HOST': '0.0.0.0',
     'HTTP_LISTEN_PORT': 8080,
 }

apps/jumpserver/settings.py

@@ -400,6 +400,16 @@ if AUTH_OPENID:
     AUTHENTICATION_BACKENDS.insert(0, AUTH_OPENID_BACKENDS[0])
     AUTHENTICATION_BACKENDS.insert(0, AUTH_OPENID_BACKENDS[1])
 
+# Radius Auth
+AUTH_RADIUS = CONFIG.AUTH_RADIUS
+AUTH_RADIUS_BACKEND = 'authentication.radius.backends.RadiusBackend'
+RADIUS_SERVER = CONFIG.RADIUS_SERVER
+RADIUS_PORT = CONFIG.RADIUS_PORT
+RADIUS_SECRET = CONFIG.RADIUS_SECRET
+
+if AUTH_RADIUS:
+    AUTHENTICATION_BACKENDS.insert(0, AUTH_RADIUS_BACKEND)
+
 # Celery using redis as broker
 CELERY_BROKER_URL = 'redis://:%(password)s@%(host)s:%(port)s/%(db)s' % {
     'password': CONFIG.REDIS_PASSWORD,

apps/templates/_copyright.html

@@ -1,2 +1,2 @@
 {% load i18n %}
-<strong>Copyright</strong> {% trans ' Beijing Duizhan Tech, Inc. ' %} &copy; 2014-2018
+<strong>Copyright</strong> {% trans ' Beijing Duizhan Tech, Inc. ' %} &copy; 2014-2019

apps/templates/_footer.html

@@ -5,6 +5,6 @@
         <!--<img style="display: none" src="http://www.jumpserver.org/img/evaluate_avatar1.jpg">-->
     </div>
     <div>
-        <strong>Copyright</strong> {% trans ' Beijing Duizhan Tech, Inc. ' %}&copy; 2014-2018
+        <strong>Copyright</strong> {% trans ' Beijing Duizhan Tech, Inc. ' %}&copy; 2014-2019
     </div>
 </div>

apps/templates/flash_message_standalone.html

@@ -54,7 +54,7 @@
                 {% include '_copyright.html' %}
             </div>
             <div class="col-md-6 text-right">
-               <small>2014-2018</small>
+               <small>2014-2019</small>
             </div>
         </div>
     </div>

apps/users/migrations/0018_auto_20190107_1912.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.1.4 on 2019-01-07 11:12
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('users', '0017_auto_20181123_1113'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='user',
+            name='source',
+            field=models.CharField(choices=[('local', 'Local'), ('ldap', 'LDAP/AD'), ('openid', 'OpenID'), ('radius', 'Radius')], default='local', max_length=30, verbose_name='Source'),
+        ),
+    ]

apps/users/models/user.py

@@ -41,10 +41,12 @@ class User(AbstractUser):
     SOURCE_LOCAL = 'local'
     SOURCE_LDAP = 'ldap'
     SOURCE_OPENID = 'openid'
+    SOURCE_RADIUS = 'radius'
     SOURCE_CHOICES = (
         (SOURCE_LOCAL, 'Local'),
         (SOURCE_LDAP, 'LDAP/AD'),
         (SOURCE_OPENID, 'OpenID'),
+        (SOURCE_RADIUS, 'Radius'),
     )
     id = models.UUIDField(default=uuid.uuid4, primary_key=True)
     username = models.CharField(

config_docker.yml

@@ -1,65 +0,0 @@
-# SECURITY WARNING: keep the secret key used in production secret!
-# 加密秘钥 生产环境中请修改为随机字符串，请勿外泄
-SECRET_KEY:
-
-# SECURITY WARNING: keep the bootstrap token used in production secret!
-# 预共享Token coco和guacamole用来注册服务账号，不在使用原来的注册接受机制
-BOOTSTRAP_TOKEN:
-
-# Development env open this, when error occur display the full process track, Production disable it
-# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
-# DEBUG: true
-
-# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
-# 日志级别
-# LOG_LEVEL: DEBUG
-# LOG_DIR: 
-
-# Session expiration setting, Default 24 hour, Also set expired on on browser close
-# 浏览器Session过期时间，默认24小时, 也可以设置浏览器关闭则过期
-# SESSION_COOKIE_AGE: 3600 * 24
-# SESSION_EXPIRE_AT_BROWSER_CLOSE: False
-
-# Database setting, Support sqlite3, mysql, postgres ....
-# 数据库设置
-# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
-
-# SQLite setting:
-# 使用单文件sqlite数据库
-# DB_ENGINE: sqlite3
-# DB_NAME: 
-
-# MySQL or postgres setting like:
-# 使用Mysql作为数据库
-DB_ENGINE: mysql
-DB_HOST: 127.0.0.1
-DB_PORT: 3306
-DB_USER: jumpserver
-DB_PASSWORD: 
-DB_NAME: jumpserver
-
-# When Django start it will bind this host and port
-# ./manage.py runserver 127.0.0.1:8080
-# 运行时绑定端口
-HTTP_BIND_HOST: 0.0.0.0
-HTTP_LISTEN_PORT: 8080
-
-# Use Redis as broker for celery and web socket
-# Redis配置
-REDIS_HOST: 127.0.0.1
-REDIS_PORT: 6379
-# REDIS_PASSWORD: 
-# REDIS_DB_CELERY: 3
-# REDIS_DB_CACHE: 4
-
-# Use OpenID authorization
-# 使用OpenID 来进行认证设置
-# BASE_SITE_URL: http://localhost:8080
-# AUTH_OPENID: false  # True or False
-# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
-# AUTH_OPENID_REALM_NAME: realm-name
-# AUTH_OPENID_CLIENT_ID: client-id
-# AUTH_OPENID_CLIENT_SECRET: client-secret
-
-# OTP校验窗口大小，可以避免服务器时间稍有差异引起OTP校验失败
-# OTP_VALID_WINDOW: 0

requirements/requirements.txt

@@ -78,3 +78,4 @@ python-keycloak-client==0.1.3
 rest_condition==1.0.3
 python-ldap==3.1.0
 tencentcloud-sdk-python==3.0.40
+django-radius==1.3.3