[Update] 更新OpenID的配置项以及对应的信号监听

apps/audits/signals_handler.py

@@ -136,8 +136,8 @@ def on_user_auth_success(sender, user, request, **kwargs):
 
 
 @receiver(post_auth_failed)
-def on_user_auth_failed(sender, username, request, reason, **kwargs):
+def on_user_auth_failed(sender, username, request, reason='', **kwargs):
     logger.debug('User login failed: {}'.format(username))
     data = generate_data(username, request)
-    data.update({'reason': reason, 'status': False})
+    data.update({'reason': reason[:128], 'status': False})
     write_login_log(**data)

apps/authentication/signals_handlers.py

@@ -1,15 +1,15 @@
 from django.dispatch import receiver
 
-from jms_oidc_rp.signals import oidc_user_login_success, oidc_user_login_failed
+from jms_oidc_rp.signals import openid_user_login_failed, openid_user_login_success
 
 from .signals import post_auth_success, post_auth_failed
 
 
-@receiver(oidc_user_login_success)
+@receiver(openid_user_login_success)
 def on_oidc_user_login_success(sender, request, user, **kwargs):
     post_auth_success.send(sender, user=user, request=request)
 
 
-@receiver(oidc_user_login_failed)
+@receiver(openid_user_login_failed)
 def on_oidc_user_login_failed(sender, username, request, reason, **kwargs):
     post_auth_failed.send(sender, username=username, request=request, reason=reason)

apps/jumpserver/conf.py

@@ -184,15 +184,12 @@ class Config(dict):
         'AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT': 'https://op-example.com/logout',
         'AUTH_OPENID_PROVIDER_SIGNATURE_ALG': 'HS256',
         'AUTH_OPENID_PROVIDER_SIGNATURE_KEY': None,
-        'AUTH_OPENID_PROVIDER_CLAIMS_NAME': None,
-        'AUTH_OPENID_PROVIDER_CLAIMS_USERNAME': None,
-        'AUTH_OPENID_PROVIDER_CLAIMS_EMAIL': None,
         'AUTH_OPENID_SCOPES': 'openid profile email',
         'AUTH_OPENID_ID_TOKEN_MAX_AGE': 60,
-        'AUTH_OPENID_ID_TOKEN_INCLUDE_USERINFO': True,
+        'AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS': True,
         'AUTH_OPENID_USE_STATE': True,
         'AUTH_OPENID_USE_NONCE': True,
-        'AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION': True,
+        'AUTH_OPENID_ALWAYS_UPDATE_USER': True,
         # OpenID 旧配置参数 (version <= 1.5.8 (discarded))
         'BASE_SITE_URL': 'http://localhost:8080',
         'AUTH_OPENID_SERVER_URL': 'http://openid',

apps/jumpserver/settings/auth.py

@@ -58,17 +58,14 @@ AUTH_OPENID_PROVIDER_USERINFO_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_USERINFO_EN
 AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT
 AUTH_OPENID_PROVIDER_SIGNATURE_ALG = CONFIG.AUTH_OPENID_PROVIDER_SIGNATURE_ALG
 AUTH_OPENID_PROVIDER_SIGNATURE_KEY = CONFIG.AUTH_OPENID_PROVIDER_SIGNATURE_KEY
-AUTH_OPENID_PROVIDER_CLAIMS_NAME = CONFIG.AUTH_OPENID_PROVIDER_CLAIMS_NAME
-AUTH_OPENID_PROVIDER_CLAIMS_USERNAME = CONFIG.AUTH_OPENID_PROVIDER_CLAIMS_USERNAME
-AUTH_OPENID_PROVIDER_CLAIMS_EMAIL = CONFIG.AUTH_OPENID_PROVIDER_CLAIMS_EMAIL
 AUTH_OPENID_SCOPES = CONFIG.AUTH_OPENID_SCOPES
 AUTH_OPENID_ID_TOKEN_MAX_AGE = CONFIG.AUTH_OPENID_ID_TOKEN_MAX_AGE
-AUTH_OPENID_ID_TOKEN_INCLUDE_USERINFO = CONFIG.AUTH_OPENID_ID_TOKEN_INCLUDE_USERINFO
+AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS = CONFIG.AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS
 AUTH_OPENID_SHARE_SESSION = CONFIG.AUTH_OPENID_SHARE_SESSION
 AUTH_OPENID_IGNORE_SSL_VERIFICATION = CONFIG.AUTH_OPENID_IGNORE_SSL_VERIFICATION
 AUTH_OPENID_USE_STATE = CONFIG.AUTH_OPENID_USE_STATE
 AUTH_OPENID_USE_NONCE = CONFIG.AUTH_OPENID_USE_NONCE
-AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION = CONFIG.AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION
+AUTH_OPENID_ALWAYS_UPDATE_USER = CONFIG.AUTH_OPENID_ALWAYS_UPDATE_USER
 AUTH_OPENID_AUTH_LOGIN_URL_NAME = 'authentication:oidc:login'
 AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME = 'authentication:oidc:login-callback'
 AUTH_OPENID_AUTH_LOGOUT_URL_NAME = 'authentication:oidc:logout'

apps/users/signals_handler.py

@@ -7,11 +7,9 @@ from django_auth_ldap.backend import populate_user
 from django.conf import settings
 from django_cas_ng.signals import cas_user_authenticated
 
-from jms_oidc_rp.signals import oidc_user_created, oidc_user_updated
-from jms_oidc_rp.backends import get_userinfo_from_claims
+from jms_oidc_rp.signals import openid_user_create_or_update
 
 from common.utils import get_logger
-from .utils import construct_user_email
 from .signals import post_user_create
 from .models import User
 
@@ -55,19 +53,15 @@ def on_ldap_create_user(sender, user, ldap_user, **kwargs):
             user.save()
 
 
-@receiver(oidc_user_created)
-def on_oidc_user_created(sender, request, oidc_user, **kwargs):
-    oidc_user.user.source = User.SOURCE_OPENID
-    oidc_user.user.save()
-
-
-@receiver(oidc_user_updated)
-def on_oidc_user_updated(sender, request, oidc_user, **kwargs):
-    if not settings.AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION:
+@receiver(openid_user_create_or_update)
+def on_openid_user_create_or_update(sender, request, user, created, name, username, email):
+    if created:
+        user.source = User.SOURCE_OPENID
+        user.save()
         return
-    name, username, email = get_userinfo_from_claims(oidc_user.userinfo)
-    email = construct_user_email(username, email)
-    oidc_user.user.name = name
-    oidc_user.user.username = username
-    oidc_user.user.email = email
-    oidc_user.user.save()
+
+    if not created and settings.AUTH_OPENID_ALWAYS_UPDATE_USER:
+        user.name = name
+        user.username = username
+        user.email = email
+        user.save()