feat: Email as a method for multi-factor authentication (#15134)

* feat: Email as a method for multi-factor authentication

* perf: Optimize the MFA email sending logic

* perf: Optimize some parameters

* perf: Translate

apps/authentication/mfa/__init__.py

@@ -3,3 +3,4 @@ from .face import MFAFace
 from .otp import MFAOtp, otp_failed_msg
 from .radius import MFARadius
 from .sms import MFASms
+from .email import MFAEmail

apps/authentication/mfa/email.py

@@ -0,0 +1,68 @@
+from django.conf import settings
+from django.template.loader import render_to_string
+from django.utils.translation import gettext_lazy as _
+
+from common.utils import random_string
+from common.utils.verify_code import SendAndVerifyCodeUtil
+from settings.utils import get_login_title
+from .base import BaseMFA
+
+email_failed_msg = _("Email verify code invalid")
+
+
+class MFAEmail(BaseMFA):
+    name = 'email'
+    display_name = _('Email')
+    placeholder = _('Email verification code')
+
+    def check_code(self, code):
+        assert self.is_authenticated()
+        sender_util = SendAndVerifyCodeUtil(self.user.email, backend=self.name)
+        ok = sender_util.verify(code)
+        msg = '' if ok else email_failed_msg
+        return ok, msg
+
+    def is_active(self):
+        if not self.is_authenticated():
+            return True
+        return self.user.email
+
+    @staticmethod
+    def challenge_required():
+        return True
+
+    def send_challenge(self):
+        code = random_string(settings.SMS_CODE_LENGTH, lower=False, upper=False)
+        subject = '%s: %s' % (get_login_title(), _('MFA code'))
+        context = {
+            'user': self.user, 'title': subject, 'code': code,
+        }
+        message = render_to_string('authentication/_msg_mfa_email_code.html', context)
+        content = {'subject': subject, 'message': message}
+        sender_util = SendAndVerifyCodeUtil(
+            self.user.email, code=code, backend=self.name, timeout=60, **content
+        )
+        sender_util.gen_and_send_async()
+
+    @staticmethod
+    def global_enabled():
+        return settings.SECURITY_MFA_BY_EMAIL
+
+    def disable(self):
+        return '/ui/#/profile/index'
+
+    def get_enable_url(self) -> str:
+        return ''
+
+    def can_disable(self) -> bool:
+        return False
+
+    def get_disable_url(self):
+        return ''
+
+    @staticmethod
+    def help_text_of_enable():
+        return ''
+
+    def help_text_of_disable(self):
+        return ''

apps/authentication/templates/authentication/_msg_mfa_email_code.html

@@ -0,0 +1,18 @@
+{% load i18n %}
+
+<div style="width: 100%; text-align: center">
+    <table style="margin: 0 auto; border: 1px solid #ccc; border-collapse: collapse; width: 60%">
+        <tr style="background-color: #1ab394; color: white">
+            <th style="height: 80px;">{{ title }}</th>
+        </tr>
+        <tr style="border: 1px solid #eee;">
+            <td style="height: 50px;">{% trans 'Hello' %} {{ user.name }},</td>
+        </tr>
+        <tr style="border: 1px solid #eee">
+            <td style="height: 50px;">{% trans 'MFA code' %}: <span style="font-weight: bold;">{{ code }}</span></td>
+        </tr>
+        <tr style="border: 1px solid #eee">
+            <td style="height: 30px;">{% trans 'The validity period of the verification code is one minute' %}</td>
+        </tr>
+    </table>
+</div>

apps/i18n/core/zh/LC_MESSAGES/django.po

@@ -7473,6 +7473,14 @@ msgid ""
 "account password"
 msgstr "单位：秒，目前仅在查看账号密码校验 MFA 时生效"
 
+#: settings/serializers/security.py:129
+msgid "MFA via Email"
+msgstr "邮件验证 MFA"
+
+#: settings/serializers/security.py:130
+msgid "Email as a method for multi-factor authentication"
+msgstr "将电子邮件作为多因子认证的一种方式"
+
 #: settings/serializers/security.py:143
 msgid "MFA in login page"
 msgstr "MFA 在登录页面输入"

apps/jumpserver/conf.py

@@ -564,6 +564,7 @@ class Config(dict):
         # 安全配置
         'SECURITY_MFA_AUTH': 0,  # 0 不开启 1 全局开启 2 管理员开启
         'SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY': True,
+        'SECURITY_MFA_BY_EMAIL': False,
         'SECURITY_COMMAND_EXECUTION': False,
         'SECURITY_COMMAND_BLACKLIST': [
             'reboot', 'shutdown', 'poweroff', 'halt', 'dd', 'half', 'top'

apps/jumpserver/settings/auth.py

@@ -325,9 +325,10 @@ MFA_BACKEND_OTP = 'authentication.mfa.otp.MFAOtp'
 MFA_BACKEND_FACE = 'authentication.mfa.face.MFAFace'
 MFA_BACKEND_RADIUS = 'authentication.mfa.radius.MFARadius'
 MFA_BACKEND_SMS = 'authentication.mfa.sms.MFASms'
+MFA_BACKEND_EMAIL = 'authentication.mfa.email.MFAEmail'
 MFA_BACKEND_CUSTOM = 'authentication.mfa.custom.MFACustom'
 
-MFA_BACKENDS = [MFA_BACKEND_OTP, MFA_BACKEND_RADIUS, MFA_BACKEND_SMS, MFA_BACKEND_FACE]
+MFA_BACKENDS = [MFA_BACKEND_OTP, MFA_BACKEND_RADIUS, MFA_BACKEND_SMS, MFA_BACKEND_FACE, MFA_BACKEND_EMAIL]
 
 MFA_CUSTOM = CONFIG.MFA_CUSTOM
 MFA_CUSTOM_FILE_MD5 = CONFIG.MFA_CUSTOM_FILE_MD5

apps/jumpserver/settings/custom.py

@@ -34,6 +34,7 @@ FTP_FILE_MAX_STORE = CONFIG.FTP_FILE_MAX_STORE
 # Security settings
 SECURITY_MFA_AUTH = CONFIG.SECURITY_MFA_AUTH
 SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY = CONFIG.SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY
+SECURITY_MFA_BY_EMAIL = CONFIG.SECURITY_MFA_BY_EMAIL
 SECURITY_MAX_IDLE_TIME = CONFIG.SECURITY_MAX_IDLE_TIME  # Unit: minute
 SECURITY_MAX_SESSION_TIME = CONFIG.SECURITY_MAX_SESSION_TIME  # Unit: hour
 SECURITY_COMMAND_EXECUTION = CONFIG.SECURITY_COMMAND_EXECUTION

apps/settings/serializers/security.py

@@ -124,6 +124,11 @@ class SecurityAuthSerializer(serializers.Serializer):
         label=_('Third-party login MFA'),
         help_text=_('The third-party login modes include OIDC, CAS, and SAML2'),
     )
+    SECURITY_MFA_BY_EMAIL = serializers.BooleanField(
+        required=False, default=False,
+        label=_('MFA via Email'),
+        help_text=_('Email as a method for multi-factor authentication')
+    )
     OTP_ISSUER_NAME = serializers.CharField(
         required=False, max_length=16, label=_('OTP issuer name'),
     )