feat: sso支持验证mfa

2021-08-26 15:01:43 +08:00 · 2021-08-26 15:01:43 +08:00 · 6241238b45
parent 0f87f05b3f
commit 6241238b45
7 changed files with 23 additions and 20 deletions
--- a/apps/assets/api/accounts.py
+++ b/apps/assets/api/accounts.py
@ -64,8 +64,8 @@ class AccountViewSet(OrgBulkModelViewSet):
    permission_classes = (IsOrgAdmin,)

    def get_queryset(self):
-        queryset = super().get_queryset()\
-            .annotate(ip=F('asset__ip'))\
+        queryset = super().get_queryset() \
+            .annotate(ip=F('asset__ip')) \
            .annotate(hostname=F('asset__hostname'))
        return queryset

@ -110,4 +110,5 @@ class AccountTaskCreateAPI(CreateAPIView):
    def get_exception_handler(self):
        def handler(e, context):
            return Response({"error": str(e)}, status=400)
+
        return handler
--- a/apps/authentication/backends/cas/init.py
+++ b/apps/authentication/backends/cas/init.py
@ -1,4 +1,3 @@
 # -*- coding: utf-8 -*-
 #
 from .backends import *
-from .callback import *
--- a/apps/authentication/backends/cas/callback.py
+++ b/apps/authentication/backends/cas/callback.py
@ -1,16 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from django.contrib.auth import get_user_model
-
-
-User = get_user_model()
-
-
-def cas_callback(response):
-    username = response['username']
-    user, user_created = User.objects.get_or_create(username=username)
-    profile, created = user.get_profile()
-
-    profile.role = response['attributes']['role']
-    profile.birth_date = response['attributes']['birth_date']
-    profile.save()
--- a/apps/authentication/middleware.py
+++ b/apps/authentication/middleware.py
@ -0,0 +1,14 @@
+from django.shortcuts import redirect
+
+
+class MFAMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        response = self.get_response(request)
+        if request.path.find('/auth/login/otp/') > -1:
+            return response
+        if request.session.get('auth_mfa_required'):
+            return redirect('authentication:login-otp')
+        return response
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@ -315,6 +315,7 @@ class AuthMixin:
        self.request.session['auth_mfa'] = 1
        self.request.session['auth_mfa_time'] = time.time()
        self.request.session['auth_mfa_type'] = 'otp'
+        self.request.session['auth_mfa_required'] = ''

    def check_mfa_is_block(self, username, ip, raise_exception=True):
        if MFABlockUtils(username, ip).is_block():
@ -391,7 +392,6 @@ class AuthMixin:
    def clear_auth_mark(self):
        self.request.session['auth_password'] = ''
        self.request.session['auth_user_id'] = ''
-        self.request.session['auth_mfa'] = ''
        self.request.session['auth_confirm'] = ''
        self.request.session['auth_ticket_id'] = ''

--- a/apps/authentication/signals_handlers.py
+++ b/apps/authentication/signals_handlers.py
@ -13,6 +13,10 @@ from .signals import post_auth_success, post_auth_failed

@receiver(user_logged_in)
 def on_user_auth_login_success(sender, user, request, **kwargs):
+    # 开启了 MFA，且没有校验过
+    if user.mfa_enabled and not request.session.get('auth_mfa'):
+        request.session['auth_mfa_required'] = 1
+
    if settings.USER_LOGIN_SINGLE_MACHINE_ENABLED:
        user_id = 'single_machine_login_' + str(user.id)
        session_key = cache.get(user_id)
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@ -87,6 +87,7 @@ MIDDLEWARE = [
    'orgs.middleware.OrgMiddleware',
    'authentication.backends.oidc.middleware.OIDCRefreshIDTokenMiddleware',
    'authentication.backends.cas.middleware.CASMiddleware',
+    'authentication.middleware.MFAMiddleware',
    'simple_history.middleware.HistoryRequestMiddleware',
 ]