From 1790cd834526c34108a38c115beff78deebb2c57 Mon Sep 17 00:00:00 2001 From: wangruidong <940853815@qq.com> Date: Tue, 1 Jul 2025 16:33:49 +0800 Subject: [PATCH] fix: Add additional third-party authentication backends and adjust MFA check --- apps/authentication/mixins.py | 4 ++++ apps/jumpserver/settings/auth.py | 3 ++- apps/settings/serializers/security.py | 7 ++++++- apps/users/models/user/_source.py | 4 ++++ 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/apps/authentication/mixins.py b/apps/authentication/mixins.py index b8c7d1858..a17679707 100644 --- a/apps/authentication/mixins.py +++ b/apps/authentication/mixins.py @@ -20,6 +20,7 @@ from django.utils.translation import gettext as _ from rest_framework.request import Request from acls.models import LoginACL +from apps.jumpserver.settings.auth import AUTHENTICATION_BACKENDS_THIRD_PARTY from common.utils import get_request_ip_or_data, get_request_ip, get_logger, bulk_get, FlashMessageUtil from users.models import User from users.utils import LoginBlockUtil, MFABlockUtils, LoginIpBlockUtil @@ -227,6 +228,9 @@ class MFAMixin: self._do_check_user_mfa(code, mfa_type, user=user) def check_user_mfa_if_need(self, user): + if not settings.SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY and \ + self.request.session.get('auth_backend') in AUTHENTICATION_BACKENDS_THIRD_PARTY: + return if self.request.session.get('auth_mfa') and \ self.request.session.get('auth_mfa_username') == user.username: return diff --git a/apps/jumpserver/settings/auth.py b/apps/jumpserver/settings/auth.py index 90471dc61..cfbed3e04 100644 --- a/apps/jumpserver/settings/auth.py +++ b/apps/jumpserver/settings/auth.py @@ -348,7 +348,8 @@ SMS_CUSTOM_FILE_PATH = os.path.join(PROJECT_DIR, 'data', 'sms', 'main.py') AUTHENTICATION_BACKENDS_THIRD_PARTY = [ AUTH_BACKEND_OIDC_CODE, AUTH_BACKEND_CAS, - AUTH_BACKEND_SAML2, AUTH_BACKEND_OAUTH2 + AUTH_BACKEND_SAML2, AUTH_BACKEND_OAUTH2, AUTH_BACKEND_WECOM, AUTH_BACKEND_DINGTALK, AUTH_BACKEND_FEISHU, + AUTH_BACKEND_LARK, AUTH_BACKEND_SLACK, ] ONLY_ALLOW_EXIST_USER_AUTH = CONFIG.ONLY_ALLOW_EXIST_USER_AUTH ONLY_ALLOW_AUTH_FROM_SOURCE = CONFIG.ONLY_ALLOW_AUTH_FROM_SOURCE diff --git a/apps/settings/serializers/security.py b/apps/settings/serializers/security.py index 6e6e1bf38..cde588fff 100644 --- a/apps/settings/serializers/security.py +++ b/apps/settings/serializers/security.py @@ -2,6 +2,8 @@ from django.utils.translation import gettext_lazy as _ from rest_framework import serializers from acls.serializers.rules import ip_group_help_text, ip_group_child_validator +from apps.jumpserver.settings.auth import AUTHENTICATION_BACKENDS_THIRD_PARTY +from users.models.user import SourceMixin __all__ = [ 'SecurityPasswordRuleSerializer', 'SecuritySessionSerializer', @@ -118,6 +120,9 @@ class SecurityLoginLimitSerializer(serializers.Serializer): class SecurityAuthSerializer(serializers.Serializer): + help_text_third_party_mfa = _('The third-party login modes include ') + ', '.join( + SourceMixin().backends_source_mapper.get(backend) for backend in AUTHENTICATION_BACKENDS_THIRD_PARTY + ) SECURITY_MFA_AUTH = serializers.ChoiceField( choices=( [0, _('Not enabled')], @@ -129,7 +134,7 @@ class SecurityAuthSerializer(serializers.Serializer): SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY = serializers.BooleanField( required=False, default=True, label=_('Third-party login MFA'), - help_text=_('The third-party login modes include OIDC, CAS, and SAML2'), + help_text=help_text_third_party_mfa ) SECURITY_MFA_BY_EMAIL = serializers.BooleanField( required=False, default=False, diff --git a/apps/users/models/user/_source.py b/apps/users/models/user/_source.py index e7e0dd21f..8b873d210 100644 --- a/apps/users/models/user/_source.py +++ b/apps/users/models/user/_source.py @@ -107,3 +107,7 @@ class SourceMixin: if not settings.ONLY_ALLOW_AUTH_FROM_SOURCE: return None return self.SOURCE_BACKEND_MAPPING.get(self.source, []) + + @property + def backends_source_mapper(self): + return {backend: source for source, backends in self.SOURCE_BACKEND_MAPPING.items() for backend in backends}