fix: 修复 saml2 登陆的问题

3 years ago · 330917df4c
4 changed files with 30 additions and 8 deletions
--- a/apps/authentication/backends/saml2/backends.py
+++ b/apps/authentication/backends/saml2/backends.py
@ -17,8 +17,7 @@ logger = get_logger(__file__)


 class SAML2Backend(ModelBackend):
-    @staticmethod
-    def user_can_authenticate(user):
+    def user_can_authenticate(self, user):
        is_valid = getattr(user, 'is_valid', None)
        return is_valid or is_valid is None

@ -42,9 +41,10 @@ class SAML2Backend(ModelBackend):
        log_prompt = "Process authenticate [SAML2AuthCodeBackend]: {}"
        logger.debug(log_prompt.format('Start'))
        if saml_user_data is None:
-            logger.debug(log_prompt.format('saml_user_data is missing'))
+            logger.error(log_prompt.format('saml_user_data is missing'))
            return None

+        logger.debug(log_prompt.format('saml data, {}'.format(saml_user_data)))
        username = saml_user_data.get('username')
        if not username:
            logger.debug(log_prompt.format('username is missing'))
--- a/apps/authentication/backends/saml2/views.py
+++ b/apps/authentication/backends/saml2/views.py
@ -1,5 +1,4 @@
-import json
-import os
+import copy

 from django.views import View
 from django.contrib import auth as auth
@ -96,10 +95,18 @@ class PrepareRequestMixin:
    def get_advanced_settings():
        try:
            other_settings = dict(settings.SAML2_SP_ADVANCED_SETTINGS)
+            other_settings = copy.deepcopy(other_settings)
        except Exception as error:
            logger.error('Get other settings error: %s', error)
            other_settings = {}

+        security_default = {
+            'wantAttributeStatement': False,
+            'allowRepeatAttributeName': True
+        }
+        security = other_settings.get('security', {})
+        security_default.update(security)
+
        default = {
            "organization": {
                "en": {
@ -107,9 +114,10 @@ class PrepareRequestMixin:
                    "displayname": "JumpServer",
                    "url": "https://jumpserver.org/"
                }
-            }
+            },
        }
        default.update(other_settings)
+        default['security'] = security_default
        return default

    def get_sp_settings(self):
@ -156,9 +164,12 @@ class PrepareRequestMixin:
        user_attrs = {}
        real_key_index = len(settings.SITE_URL) + 1
        attrs = saml_instance.get_attributes()
+        valid_attrs = ['username', 'name', 'email', 'comment', 'phone']

        for attr, value in attrs.items():
            attr = attr[real_key_index:]
+            if attr not in valid_attrs:
+                continue
            user_attrs[attr] = self.value_to_str(value)
        return user_attrs

--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@ -234,7 +234,18 @@ class Config(dict):
        'SAML2_LOGOUT_COMPLETELY': True,
        'AUTH_SAML2_ALWAYS_UPDATE_USER': True,
        'SAML2_RENAME_ATTRIBUTES': {'uid': 'username', 'email': 'email'},
-        'SAML2_SP_ADVANCED_SETTINGS': {"organization": {"en": {"name": "JumpServer", "displayname": "JumpServer", "url": "https://jumpserver.org/"}}},
+        'SAML2_SP_ADVANCED_SETTINGS': {
+            "organization": {
+                "en": {
+                    "name": "JumpServer",
+                    "displayname": "JumpServer",
+                    "url": "https://jumpserver.org/"
+                }
+            },
+            "strict": True,
+            "security": {
+            }
+        },
        'SAML2_IDP_METADATA_URL': '',
        'SAML2_IDP_METADATA_XML': '',
        'SAML2_SP_KEY_CONTENT': '',
--- a/apps/orgs/caches.py
+++ b/apps/orgs/caches.py
@ -72,7 +72,7 @@ class OrgResourceStatisticsCache(OrgRelatedCache):
        self.org = org

    def get_key_suffix(self):
-        return f'<org:{self.org.id}>'
+        return f'org_{self.org.id}'

    def get_current_org(self):
        return self.org