perf: i18n System Settings -> Authentication-OIDC

2024-05-22 17:51:45 +08:00 · 2024-05-22 17:51:45 +08:00 · 79449a8a02
parent 4a5205c5ac
commit 79449a8a02
6 changed files with 80 additions and 32 deletions
--- a/apps/i18n/lina/en.json
+++ b/apps/i18n/lina/en.json
@ -202,7 +202,7 @@
    "BuiltinVariable": "Built-in variables",
    "BulkUnblock": "Batch unlock",
    "CACertificate": "Ca certificate",
-    "CAS": "Cas",
+    "CAS": "CAS",
    "CMPP2": "Cmpp v2.0",
    "CTYunPrivate": "Tianyi private cloud",
    "CalculationResults": "Error in cron expression",
@ -394,7 +394,7 @@
    "DeviceCreate": "Create asset - device",
    "DeviceUpdate": "Update the asset - device",
    "Digit": "Number",
-    "DingTalk": "Dingtalk",
+    "DingTalk": "DingTalk",
    "DingTalkOAuth": "DingTalk OAuth",
    "DingTalkTest": "Test",
    "Disable": "Disable",
@ -609,7 +609,7 @@
    "Last30Days": "Monthly",
    "Last7Days": "Weekly",
    "LastPublishedTime": "Last publish time",
-    "Ldap": "Ldap",
+    "Ldap": "LDAP",
    "LdapBulkImport": "User import",
    "LdapConnectTest": "Test connection",
    "LdapLoginTest": "Test login",
@ -730,9 +730,9 @@
    "Now": "Now",
    "Number": "No.",
    "NumberOfVisits": "Visits",
-    "OAuth2": "Oauth2",
+    "OAuth2": "OAuth2",
    "OAuth2LogoTip": "Note: authentication provider (recommended image size: 64px*64px)",
-    "OIDC": "Oidc",
+    "OIDC": "OIDC",
    "ObjectNotFoundOrDeletedMsg": "No corresponding resources found or it has been deleted.",
    "Offline": "Offline",
    "OfflineSelected": "Offline selected",
@ -1281,7 +1281,7 @@
    "VirtualApps": "VApp",
    "Volcengine": "Volcengine",
    "Warning": "Warning",
-    "WeCom": "Wecom",
+    "WeCom": "WeCom",
    "WeComOAuth": "WeCom OAuth",
    "WeComTest": "Test",
    "WebCreate": "Create asset - web",
@ -1310,5 +1310,6 @@
    "SiteURLTip": "For example: https://demo.jumpserver.org",
    "Settings...": "Settings...",
    "EmailTemplate": "Template",
-    "EmailTemplateHelpTip": "Email template is used for sending emails and includes the email subject prefix and email content"
+    "EmailTemplateHelpTip": "Email template is used for sending emails and includes the email subject prefix and email content",
+    "ForgotPasswordURL": "Forgot password URL"
 }
--- a/apps/settings/serializers/auth/base.py
+++ b/apps/settings/serializers/auth/base.py
@ -24,12 +24,21 @@ class AuthSettingSerializer(serializers.Serializer):
    AUTH_PASSKEY = serializers.BooleanField(default=False, label=_("Passkey Auth"))
    EMAIL_SUFFIX = serializers.CharField(
        required=False, max_length=1024, label=_("Email suffix"),
-        help_text=_('This is used by default if no email is returned during SSO authentication')
+        help_text=_(
+            "After third-party user authentication is successful, "
+            "if the third-party authentication service platform does not return the user's email "
+            "information, the system will automatically create the user using this email suffix"
+        )
    )
    FORGOT_PASSWORD_URL = serializers.CharField(
        required=False, allow_blank=True, max_length=1024,
-        label=_("Forgot Password URL")
+        label=_("Forgot Password"), 
+        help_text=_("The URL for Forgotten Password on the user login page")
    )
    LOGIN_REDIRECT_MSG_ENABLED = serializers.BooleanField(
-        required=False, label=_("Login redirection prompt")
+        required=False, label=_("Login redirection"),
+        help_text=_(
+            "Should an flash page be displayed before the user is redirected to third-party "
+            "authentication when the administrator enables third-party redirect authentication"
+        )
    )
--- a/apps/settings/serializers/auth/cas.py
+++ b/apps/settings/serializers/auth/cas.py
@ -15,7 +15,10 @@ class CASSettingSerializer(serializers.Serializer):
        required=False, allow_null=True, allow_blank=True,
        max_length=1024, label=_('Proxy Server')
    )
-    CAS_LOGOUT_COMPLETELY = serializers.BooleanField(required=False, label=_('Logout completely'))
+    CAS_LOGOUT_COMPLETELY = serializers.BooleanField(
+        required=False, label=_('Logout completely'), 
+        help_text=_('When the user signs out, they also be logged out from the CAS Server')
+    )
    CAS_VERSION = serializers.IntegerField(
        required=False, label=_('Version'), min_value=1, max_value=3
    )
@ -25,8 +28,17 @@ class CASSettingSerializer(serializers.Serializer):
    CAS_APPLY_ATTRIBUTES_TO_USER = serializers.BooleanField(
        required=False, label=_('Enable attributes map')
    )
-    CAS_RENAME_ATTRIBUTES = serializers.JSONField(required=False, label=_('User attribute'))
+    CAS_RENAME_ATTRIBUTES = serializers.JSONField(
+        required=False, label=_('User attribute'),
+        help_text=_(
+            "User attribute mapping, where the `key` is the CAS service user attribute name "
+            "and the `value` is the JumpServer user attribute name"
+        )
+    )
    CAS_CREATE_USER = serializers.BooleanField(
        required=False, label=_('Create user'), 
-        help_text=_('Automatically create a new user if not found.')
+        help_text=_(
+            'After successful user authentication, if the user does not exist, '
+            'automatically create the user'
+        )
    )
--- a/apps/settings/serializers/auth/ldap.py
+++ b/apps/settings/serializers/auth/ldap.py
@ -40,24 +40,32 @@ class LDAPSettingSerializer(serializers.Serializer):

    AUTH_LDAP_SERVER_URI = serializers.CharField(
        required=True, max_length=1024, label=_('Server'),
-        help_text=_('eg: ldap://localhost:389')
+        help_text=_('LDAP server URI')
+    )
+    AUTH_LDAP_BIND_DN = serializers.CharField(
+        required=False, max_length=1024, label=_('Bind DN'),
+        help_text=_('Binding Distinguished Name')
    )
-    AUTH_LDAP_BIND_DN = serializers.CharField(required=False, max_length=1024, label=_('Bind DN'))
    AUTH_LDAP_BIND_PASSWORD = EncryptedField(
-        max_length=1024, required=False, label=_('Password')
+        max_length=1024, required=False, label=_('Password'),
+        help_text=_('Binding password')
    )
    AUTH_LDAP_SEARCH_OU = serializers.CharField(
-        max_length=1024, allow_blank=True, required=False, label=_('User OU'),
-        help_text=_('Use | split multi OUs')
+        max_length=1024, allow_blank=True, required=False, label=_('Search OU'),
+        help_text=_(
+            'User Search Base, if there are multiple OUs, you can separate them with the `|` symbol'
+        )
    )
    AUTH_LDAP_SEARCH_FILTER = serializers.CharField(
-        max_length=1024, required=True, label=_('User search filter'),
-        help_text=_('Choice may be (cn|uid|sAMAccountName)=%(user)s)')
+        max_length=1024, required=True, label=_('Search filter'),
+        help_text=_('Selection could include (cn|uid|sAMAccountName=%(user)s)')
    )
    AUTH_LDAP_USER_ATTR_MAP = serializers.JSONField(
        required=True, label=_('User attribute'),
-        help_text=_('User attr map present how to map LDAP user attr to '
-                    'jumpserver, username,name,email is jumpserver attr')
+        help_text=_(
+            'User attribute mapping, where the `key` is the JumpServer user attribute name and the '
+            '`value` is the LDAP service user attribute name'
+        )
    )
    AUTH_LDAP_SYNC_ORG_IDS = serializers.ListField(
        required=False, label=_('Organization'), max_length=36
@ -85,7 +93,9 @@ class LDAPSettingSerializer(serializers.Serializer):
            'improve the speed of user authentication., 0 means no cache'
        )
    )
-    AUTH_LDAP_SEARCH_PAGED_SIZE = serializers.IntegerField(required=False, label=_('Search paged size (piece)'))
+    AUTH_LDAP_SEARCH_PAGED_SIZE = serializers.IntegerField(
+        required=False, label=_('Search paged size (piece)')
+    )
    AUTH_LDAP_SYNC_RECEIVERS = serializers.ListField(
        required=False, label=_('Recipient'), max_length=36
    )
--- a/apps/settings/serializers/auth/oidc.py
+++ b/apps/settings/serializers/auth/oidc.py
@ -13,7 +13,8 @@ class CommonSettingSerializer(serializers.Serializer):
    # OpenID 公有配置参数 (version <= 1.5.8 或 version >= 1.5.8)
    BASE_SITE_URL = serializers.CharField(
        required=False, allow_null=True, allow_blank=True,
-        max_length=1024, label=_('Base site URL')
+        max_length=1024, label=_('Base site URL'), 
+        help_text=_("The current site's URL is used to construct the callback address")
    )
    AUTH_OPENID_CLIENT_ID = serializers.CharField(
        required=False, max_length=1024, label=_('Client Id')
@ -35,8 +36,10 @@ class CommonSettingSerializer(serializers.Serializer):
    )
    AUTH_OPENID_USER_ATTR_MAP = serializers.JSONField(
        required=True, label=_('User attribute'),
-        help_text=_('User attr map present how to map OpenID user attr to '
-                    'jumpserver, username,name,email is jumpserver attr')
+        help_text=_(
+            "User attribute mapping, where the `key` is the JumpServer user attribute name "
+            "and the `value` is the OIDC service user attribute name"
+        )
    )
    AUTH_OPENID_PKCE = serializers.BooleanField(required=False, label=_('Enable PKCE'))
    AUTH_OPENID_CODE_CHALLENGE_METHOD = serializers.ChoiceField(
@ -48,7 +51,10 @@ class CommonSettingSerializer(serializers.Serializer):
 class KeycloakSettingSerializer(CommonSettingSerializer):
    # OpenID 旧配置参数 (version <= 1.5.8 (discarded))
    AUTH_OPENID_KEYCLOAK = serializers.BooleanField(
-        label=_("Use Keycloak"), required=False, default=False
+        label=_("Use Keycloak"), required=False, default=False,
+        help_text=_(
+            "Use Keycloak as the OpenID Connect server, or use standard OpenID Connect Protocol"
+        )
    )
    AUTH_OPENID_SERVER_URL = serializers.CharField(
        required=False, max_length=1024, label=_('Server')
@ -60,7 +66,9 @@ class KeycloakSettingSerializer(CommonSettingSerializer):

 class OIDCSettingSerializer(KeycloakSettingSerializer):
    # OpenID 新配置参数 (version >= 1.5.9)
-    AUTH_OPENID = serializers.BooleanField(required=False, label=_('OIDC'))
+    AUTH_OPENID = serializers.BooleanField(
+        required=False, label=_('OIDC'), help_text=_('OpenID Connect')
+    )
    AUTH_OPENID_PROVIDER_ENDPOINT = serializers.CharField(
        required=False, max_length=1024, label=_('Provider endpoint')
    )
@ -85,15 +93,21 @@ class OIDCSettingSerializer(KeycloakSettingSerializer):
    AUTH_OPENID_PROVIDER_SIGNATURE_KEY = serializers.CharField(
        required=False, max_length=1024, allow_null=True, label=_('Signing key')
    )
-    AUTH_OPENID_SCOPES = serializers.CharField(required=False, max_length=1024, label=_('Scopes'))
+    AUTH_OPENID_SCOPES = serializers.CharField(
+        required=False, max_length=1024, label=_('Scopes')
+    )
    AUTH_OPENID_ID_TOKEN_MAX_AGE = serializers.IntegerField(
        required=False, label=_('ID Token max age (s)')
    )
    AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS = serializers.BooleanField(
        required=False, label=_('ID Token include claims')
    )
-    AUTH_OPENID_USE_STATE = serializers.BooleanField(required=False, label=_('Use state'))
-    AUTH_OPENID_USE_NONCE = serializers.BooleanField(required=False, label=_('Use nonce'))
+    AUTH_OPENID_USE_STATE = serializers.BooleanField(
+        required=False, label=_('Use state')
+    )
+    AUTH_OPENID_USE_NONCE = serializers.BooleanField(
+        required=False, label=_('Use nonce')
+        )
    AUTH_OPENID_ALWAYS_UPDATE_USER = serializers.BooleanField(
        required=False, label=_('Always update user')
    )
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@ -668,11 +668,13 @@ class MFAMixin:
    @property
    def mfa_force_enabled(self):
        force_level = settings.SECURITY_MFA_AUTH
+        # 1 All users
        if force_level in [True, 1]:
            return True
-        # 2 管理员强制开启
+        # 2 仅管理员强制开启
        if force_level == 2 and self.is_org_admin:
            return True
+        # 3 仅用户开启
        return self.mfa_level == 2

    def enable_mfa(self):