feat: sso支持验证mfa

2021-08-26 15:01:43 +08:00 · 2021-08-26 15:01:43 +08:00 · 6241238b45
parent 0f87f05b3f
commit 6241238b45
7 changed files with 23 additions and 20 deletions
--- a/apps/assets/api/accounts.py
+++ b/apps/assets/api/accounts.py
@ -64,8 +64,8 @@ class AccountViewSet(OrgBulkModelViewSet):
    permission_classes = (IsOrgAdmin,)
    def get_queryset(self):
-        queryset = super().get_queryset()\
+        queryset = super().get_queryset() \
-            .annotate(ip=F('asset__ip'))\
+            .annotate(ip=F('asset__ip')) \
            .annotate(hostname=F('asset__hostname'))
        return queryset
@ -110,4 +110,5 @@ class AccountTaskCreateAPI(CreateAPIView):
    def get_exception_handler(self):
        def handler(e, context):
            return Response({"error": str(e)}, status=400)
        return handler
--- a/apps/authentication/backends/cas/init.py
+++ b/apps/authentication/backends/cas/init.py
@ -1,4 +1,3 @@
 # -*- coding: utf-8 -*-
 #
 from .backends import *
 from .callback import *
--- a/apps/authentication/backends/cas/callback.py
+++ b/apps/authentication/backends/cas/callback.py
@ -1,16 +0,0 @@
 # -*- coding: utf-8 -*-
 #
 from django.contrib.auth import get_user_model
 User = get_user_model()
 def cas_callback(response):
    username = response['username']
    user, user_created = User.objects.get_or_create(username=username)
    profile, created = user.get_profile()
    profile.role = response['attributes']['role']
    profile.birth_date = response['attributes']['birth_date']
    profile.save()
--- a/apps/authentication/middleware.py
+++ b/apps/authentication/middleware.py
@ -0,0 +1,14 @@
 from django.shortcuts import redirect
 class MFAMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response
    def __call__(self, request):
        response = self.get_response(request)
        if request.path.find('/auth/login/otp/') > -1:
            return response
        if request.session.get('auth_mfa_required'):
            return redirect('authentication:login-otp')
        return response
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@ -315,6 +315,7 @@ class AuthMixin:
        self.request.session['auth_mfa'] = 1
        self.request.session['auth_mfa_time'] = time.time()
        self.request.session['auth_mfa_type'] = 'otp'
        self.request.session['auth_mfa_required'] = ''
    def check_mfa_is_block(self, username, ip, raise_exception=True):
        if MFABlockUtils(username, ip).is_block():
@ -391,7 +392,6 @@ class AuthMixin:
    def clear_auth_mark(self):
        self.request.session['auth_password'] = ''
        self.request.session['auth_user_id'] = ''
        self.request.session['auth_mfa'] = ''
        self.request.session['auth_confirm'] = ''
        self.request.session['auth_ticket_id'] = ''
--- a/apps/authentication/signals_handlers.py
+++ b/apps/authentication/signals_handlers.py
@ -13,6 +13,10 @@ from .signals import post_auth_success, post_auth_failed
@receiver(user_logged_in)
 def on_user_auth_login_success(sender, user, request, **kwargs):
    # 开启了 MFA，且没有校验过
    if user.mfa_enabled and not request.session.get('auth_mfa'):
        request.session['auth_mfa_required'] = 1
    if settings.USER_LOGIN_SINGLE_MACHINE_ENABLED:
        user_id = 'single_machine_login_' + str(user.id)
        session_key = cache.get(user_id)
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@ -87,6 +87,7 @@ MIDDLEWARE = [
    'orgs.middleware.OrgMiddleware',
    'authentication.backends.oidc.middleware.OIDCRefreshIDTokenMiddleware',
    'authentication.backends.cas.middleware.CASMiddleware',
    'authentication.middleware.MFAMiddleware',
    'simple_history.middleware.HistoryRequestMiddleware',
 ]