github
/
jumpserver
mirror of https://github.com/jumpserver/jumpserver
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: 修复 oidc cas 登录时跳转问题 

perf: 优化一波,容易debug

perf: 还原回来的世界
pull/7278/head
ibuler 2021-11-25 13:20:13 +08:00 committed by Jiangjie.Bai
parent 5ace5a752e
commit 7f0ad7e27f
8 changed files with 65 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
apps/authentication/middleware.py
View File

@ -1,17 +1,36 @@
from django.shortcuts import redirect
from django.shortcuts import redirect, reverse
from django.http import HttpResponse
class MFAMiddleware:
"""
这个 中间件 是用来全局拦截开启了 MFA 却没有认证的 OIDC, CAS使用第三方库做的登录直接 login
所以只能在 Middleware 中控制
"""
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
response = self.get_response(request)
# 没有校验
if not request.session.get('auth_mfa_required'):
return response
# 没有认证过,证明不是从 第三方 来的
if request.user.is_anonymous:
return response
white_urls = ['login/mfa', 'mfa/select', 'jsi18n/', '/static/']
# 这个是 mfa 登录页需要的请求, 也得放出来, 用户其实已经在 CAS/OIDC 中完成登录了
white_urls = [
'login/mfa', 'mfa/select', 'jsi18n/', '/static/', '/profile/otp',
'/logout/', '/login/'
]
for url in white_urls:
if request.path.find(url) > -1:
return response
if request.session.get('auth_mfa_required'):
return redirect('authentication:login-mfa')
return response
# 因为使用 CAS/OIDC 登录的,不小心去了别的页面就回不来了
if request.path.find('users/profile') > -1:
return HttpResponse('', status=401)
url = reverse('authentication:login-mfa') + '?_=middleware'
return redirect(url)

9
apps/authentication/mixins.py
View File

@ -257,7 +257,8 @@ class MFAMixin:
def _check_login_page_mfa_if_need(self, user):
if not settings.SECURITY_MFA_IN_LOGIN_PAGE:
return
self._check_if_no_active_mfa(user)
if not user.active_mfa_backends:
return
request = self.request
data = request.data if hasattr(request, 'data') else request.POST
@ -274,10 +275,8 @@ class MFAMixin:
if not user.mfa_enabled:
return
self._check_if_no_active_mfa(user)
active_mfa_mapper = user.active_mfa_backends_mapper
raise errors.MFARequiredError(mfa_types=tuple(active_mfa_mapper.keys()))
active_mfa_names = user.active_mfa_backends_mapper.keys()
raise errors.MFARequiredError(mfa_types=tuple(active_mfa_names))
def mark_mfa_ok(self, mfa_type):
self.request.session['auth_mfa'] = 1

17
apps/authentication/views/mfa.py
View File

@ -3,6 +3,7 @@
from __future__ import unicode_literals
from django.views.generic.edit import FormView
from django.shortcuts import redirect
from common.utils import get_logger
from .. import forms, errors, mixins
@ -19,9 +20,15 @@ class UserLoginMFAView(mixins.AuthMixin, FormView):
def get(self, *args, **kwargs):
try:
self.get_user_from_session()
user = self.get_user_from_session()
except errors.SessionEmptyError:
return redirect_to_guard_view()
return redirect_to_guard_view('session_empty')
try:
self._check_if_no_active_mfa(user)
except errors.MFAUnsetError as e:
return redirect(e.url + '?_=login_mfa')
return super().get(*args, **kwargs)
def form_valid(self, form):
@ -30,17 +37,17 @@ class UserLoginMFAView(mixins.AuthMixin, FormView):
try:
self._do_check_user_mfa(code, mfa_type)
return redirect_to_guard_view()
return redirect_to_guard_view('mfa_ok')
except (errors.MFAFailedError, errors.BlockMFAError) as e:
form.add_error('code', e.msg)
return super().form_invalid(form)
except errors.SessionEmptyError:
return redirect_to_guard_view()
return redirect_to_guard_view('session_empty')
except Exception as e:
logger.error(e)
import traceback
traceback.print_exc()
return redirect_to_guard_view()
return redirect_to_guard_view('unexpect')
def get_context_data(self, **kwargs):
user = self.get_user_from_session()

4
apps/authentication/views/utils.py
View File

@ -3,6 +3,6 @@
from django.shortcuts import reverse, redirect
def redirect_to_guard_view():
continue_url = reverse('authentication:login-guard')
def redirect_to_guard_view(comment=''):
continue_url = reverse('authentication:login-guard') + '?_=' + comment
return redirect(continue_url)

4
apps/static/css/otp.css
View File

@ -136,6 +136,10 @@ article ul li:last-child{
border-radius: 6px;
color: white;
}
.next:hover {
color: white;
}
/*绑定TOTP*/
/*版权信息*/

36
apps/users/templates/users/user_otp_check_password.html
View File

@ -7,36 +7,8 @@
{% endblock %}
{% block content %}
<div class="verify">{% trans 'Please enter the password of' %}&nbsp;{% trans 'account' %}&nbsp;<span>{{ user.username }}</span>&nbsp;{% trans 'to complete the binding operation' %}</div>
<hr style="width: 500px; margin: auto; margin-top: 10px;">
<form id="verify-form" class="" role="form" method="post" action="">
{% csrf_token %}
<div class="form-input">
<input id="password" type="password" class="" placeholder="{% trans 'Password' %}" required="" autofocus="autofocus">
<input id="password-hidden" type="text" style="display:none" name="{{ form.password.html_name }}">
</div>
<button type="submit" class="next" onclick="doVerify();return false;">{% trans 'Next' %}</button>
{% if 'password' in form.errors %}
<p class="red-fonts">{{ form.password.errors.as_text }}</p>
{% endif %}
</form>
<script type="text/javascript" src="/static/js/plugins/jsencrypt/jsencrypt.min.js"></script>
<script>
function encryptLoginPassword(password, rsaPublicKey) {
var jsencrypt = new JSEncrypt(); //加密对象
jsencrypt.setPublicKey(rsaPublicKey); // 设置密钥
return jsencrypt.encrypt(password); //加密
}
function doVerify() {
//公钥加密
var rsaPublicKey = "{{ rsa_public_key }}"
var password = $('#password').val(); //明文密码
var passwordEncrypted = encryptLoginPassword(password, rsaPublicKey)
$('#password-hidden').val(passwordEncrypted); //返回给密码输入input
$('#verify-form').submit();//post提交
}
$(document).ready(function () {
})
</script>
<hr style="width: 500px; margin: 10px auto auto;">
<a type="submit" class="next" href="{% url 'authentication:user-otp-enable-install-app' %}" >
{% trans 'Next' %}
</a>
{% endblock %}

8
apps/users/templates/users/user_otp_enable_bind.html
View File

@ -16,12 +16,12 @@
<div id="qr_code"></div>
<div style="display: block; margin: 0">Secret: {{ otp_secret_key }}</div>
<form class="" role="form" method="post" action="">
<form id="bind-form" class="" role="form" method="post" action="">
{% csrf_token %}
<div class="form-input">
<input type="text" class="" name="otp_code" placeholder="{% trans 'Six figures' %}" required="">
</div>
<button type="submit" class="next">{% trans 'Next' %}</button>
<a type="submit" class="next button" onclick="submitForm()">{% trans 'Next' %}</a>
{% if 'otp_code' in form.errors %}
<p style="color: #ed5565">{{ form.otp_code.errors.as_text }}</p>
{% endif %}
@ -33,6 +33,10 @@
$('.change-color li:eq(1) i').css('color', '#1ab394');
$('.change-color li:eq(2) i').css('color', '#1ab394');
function submitForm() {
$('#bind-form').submit()
}
$(document).ready(function() {
// 生成用户绑定otp的二维码
var qrcode = new QRCode(document.getElementById('qr_code'), {

12
apps/users/views/profile/otp.py
View File

@ -6,10 +6,12 @@ from django.utils.translation import ugettext as _
from django.views.generic.base import TemplateView
from django.views.generic.edit import FormView
from django.contrib.auth import logout as auth_logout
from django.shortcuts import redirect
from django.http.response import HttpResponseRedirect
from authentication.mixins import AuthMixin
from authentication.mfa import MFAOtp, otp_failed_msg
from authentication.errors import SessionEmptyError
from common.utils import get_logger, FlashMessageUtil
from common.mixins.views import PermissionsMixin
from common.permissions import IsValidUser
@ -30,11 +32,15 @@ __all__ = [
logger = get_logger(__name__)
class UserOtpEnableStartView(UserVerifyPasswordView):
class UserOtpEnableStartView(AuthMixin, TemplateView):
template_name = 'users/user_otp_check_password.html'
def get_success_url(self):
return reverse('authentication:user-otp-enable-install-app')
def get(self, request, *args, **kwargs):
try:
self.get_user_from_session()
except SessionEmptyError:
return redirect('authentication:login') + '?_=otp_enable_start'
return super().get(request, *args, **kwargs)
class UserOtpEnableInstallAppView(TemplateView):