From 8085db7acc6bf7eeb116dbdf16b3a31b474ee739 Mon Sep 17 00:00:00 2001 From: Michael Bai Date: Tue, 8 Feb 2022 17:33:18 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20=E5=A2=9E=E5=8A=A0=E7=B3=BB=E7=BB=9F?= =?UTF-8?q?=E8=AE=BE=E7=BD=AE(=E5=AE=89=E5=85=A8)=E6=8E=A7=E5=88=B6?= =?UTF-8?q?=E7=AC=AC=E4=B8=89=E6=96=B9=E8=AE=A4=E8=AF=81=E7=94=A8=E6=88=B7?= =?UTF-8?q?=E6=98=AF=E5=90=A6=E8=BF=9B=E8=A1=8CMFA=E8=AE=A4=E8=AF=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/authentication/signals_handlers.py | 4 +- apps/jumpserver/conf.py | 1 + apps/jumpserver/settings/custom.py | 1 + apps/locale/zh/LC_MESSAGES/django.mo | 4 +- apps/locale/zh/LC_MESSAGES/django.po | 94 ++++++++++++++----------- apps/settings/serializers/security.py | 5 ++ 6 files changed, 63 insertions(+), 46 deletions(-) diff --git a/apps/authentication/signals_handlers.py b/apps/authentication/signals_handlers.py index 5cdd07984..a1063186a 100644 --- a/apps/authentication/signals_handlers.py +++ b/apps/authentication/signals_handlers.py @@ -17,7 +17,9 @@ from .signals import post_auth_success, post_auth_failed @receiver(user_logged_in) def on_user_auth_login_success(sender, user, request, **kwargs): # 开启了 MFA,且没有校验过, 可以全局校验, middleware 中可以全局管理 oidc 等第三方认证的 MFA - if user.mfa_enabled and not request.session.get('auth_mfa'): + if settings.SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY \ + and user.mfa_enabled \ + and not request.session.get('auth_mfa'): request.session['auth_mfa_required'] = 1 # 单点登录,超过了自动退出 diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py index 654164fe9..919fc5642 100644 --- a/apps/jumpserver/conf.py +++ b/apps/jumpserver/conf.py @@ -312,6 +312,7 @@ class Config(dict): # 安全配置 'SECURITY_MFA_AUTH': 0, # 0 不开启 1 全局开启 2 管理员开启 + 'SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY': True, 'SECURITY_COMMAND_EXECUTION': True, 'SECURITY_SERVICE_ACCOUNT_REGISTRATION': True, 'SECURITY_VIEW_AUTH_NEED_MFA': True, diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py index a95571194..4eff9d9fe 100644 --- a/apps/jumpserver/settings/custom.py +++ b/apps/jumpserver/settings/custom.py @@ -32,6 +32,7 @@ TERMINAL_REPLAY_STORAGE = CONFIG.TERMINAL_REPLAY_STORAGE # Security settings SECURITY_MFA_AUTH = CONFIG.SECURITY_MFA_AUTH +SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY = CONFIG.SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY SECURITY_MAX_IDLE_TIME = CONFIG.SECURITY_MAX_IDLE_TIME # Unit: minute SECURITY_COMMAND_EXECUTION = CONFIG.SECURITY_COMMAND_EXECUTION SECURITY_PASSWORD_EXPIRATION_TIME = CONFIG.SECURITY_PASSWORD_EXPIRATION_TIME # Unit: day diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo index faa2379b3..28f37294d 100644 --- a/apps/locale/zh/LC_MESSAGES/django.mo +++ b/apps/locale/zh/LC_MESSAGES/django.mo @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:39ab4c9155d1dfdd83f8c8037a70af28bcf06d2a75fd129fe77edab2f761ea5f -size 97367 +oid sha256:8a421482ff4103a9c3ca895b29e739c2cef0dc10a4f9914bfe7226fa3c45cac4 +size 97592 diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po index 2aaa0c801..860c414a6 100644 --- a/apps/locale/zh/LC_MESSAGES/django.po +++ b/apps/locale/zh/LC_MESSAGES/django.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: JumpServer 0.3.3\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2022-02-08 11:43+0800\n" +"POT-Creation-Date: 2022-02-08 17:40+0800\n" "PO-Revision-Date: 2021-05-20 10:54+0800\n" "Last-Translator: ibuler \n" "Language-Team: JumpServer team\n" @@ -825,11 +825,11 @@ msgstr "忽略大小写" msgid "Command filter rule" msgstr "命令过滤规则" -#: assets/models/cmd_filter.py:141 +#: assets/models/cmd_filter.py:144 msgid "The generated regular expression is incorrect: {}" msgstr "生成的正则表达式有误" -#: assets/models/cmd_filter.py:167 tickets/const.py:13 +#: assets/models/cmd_filter.py:170 tickets/const.py:13 msgid "Command confirm" msgstr "命令复核" @@ -3525,34 +3525,42 @@ msgid "Global MFA auth" msgstr "全局启用 MFA 认证" #: settings/serializers/security.py:47 +msgid "Third-party login users perform MFA authentication" +msgstr "第三方登录用户进行MFA认证" + +#: settings/serializers/security.py:48 +msgid "The third-party login modes include OIDC, CAS, and SAML2" +msgstr "第三方登录方式包括: OIDC、CAS、SAML2" + +#: settings/serializers/security.py:52 msgid "Limit the number of user login failures" msgstr "限制用户登录失败次数" -#: settings/serializers/security.py:51 +#: settings/serializers/security.py:56 msgid "Block user login interval" msgstr "禁止用户登录时间间隔" -#: settings/serializers/security.py:56 +#: settings/serializers/security.py:61 msgid "Limit the number of IP login failures" msgstr "限制 IP 登录失败次数" -#: settings/serializers/security.py:60 +#: settings/serializers/security.py:65 msgid "Block IP login interval" msgstr "禁止 IP 登录时间间隔" -#: settings/serializers/security.py:64 +#: settings/serializers/security.py:69 msgid "Login IP White List" msgstr "IP 登录白名单" -#: settings/serializers/security.py:69 +#: settings/serializers/security.py:74 msgid "Login IP Black List" msgstr "IP 登录黑名单" -#: settings/serializers/security.py:75 +#: settings/serializers/security.py:80 msgid "User password expiration" msgstr "用户密码过期时间" -#: settings/serializers/security.py:77 +#: settings/serializers/security.py:82 msgid "" "Unit: day, If the user does not update the password during the time, the " "user password will expire failure;The password expiration reminder mail will " @@ -3562,55 +3570,55 @@ msgstr "" "单位:天, 如果用户在此期间没有更新密码,用户密码将过期失效; 密码过期提醒邮件" "将在密码过期前5天内由系统(每天)自动发送给用户" -#: settings/serializers/security.py:84 +#: settings/serializers/security.py:89 msgid "Number of repeated historical passwords" msgstr "不能设置近几次密码" -#: settings/serializers/security.py:86 +#: settings/serializers/security.py:91 msgid "" "Tip: When the user resets the password, it cannot be the previous n " "historical passwords of the user" msgstr "提示:用户重置密码时,不能为该用户前几次使用过的密码" -#: settings/serializers/security.py:91 +#: settings/serializers/security.py:96 msgid "Only single device login" msgstr "仅一台设备登录" -#: settings/serializers/security.py:92 +#: settings/serializers/security.py:97 msgid "Next device login, pre login will be logout" msgstr "下个设备登录,上次登录会被顶掉" -#: settings/serializers/security.py:95 +#: settings/serializers/security.py:100 msgid "Only exist user login" msgstr "仅已存在用户登录" -#: settings/serializers/security.py:96 +#: settings/serializers/security.py:101 msgid "If enable, CAS、OIDC auth will be failed, if user not exist yet" msgstr "开启后,如果系统中不存在该用户,CAS、OIDC 登录将会失败" -#: settings/serializers/security.py:99 +#: settings/serializers/security.py:104 msgid "Only from source login" msgstr "仅从用户来源登录" -#: settings/serializers/security.py:100 +#: settings/serializers/security.py:105 msgid "Only log in from the user source property" msgstr "开启后,如果用户来源为本地,CAS、OIDC 登录将会失败" -#: settings/serializers/security.py:104 +#: settings/serializers/security.py:109 msgid "MFA verify TTL" msgstr "MFA 校验有效期" -#: settings/serializers/security.py:106 +#: settings/serializers/security.py:111 msgid "" "Unit: second, The verification MFA takes effect only when you view the " "account password" msgstr "单位: 秒, 目前仅在查看账号密码校验 MFA 时生效" -#: settings/serializers/security.py:111 +#: settings/serializers/security.py:116 msgid "Enable Login dynamic code" msgstr "启用登录附加码" -#: settings/serializers/security.py:112 +#: settings/serializers/security.py:117 msgid "" "The password and additional code are sent to a third party authentication " "system for verification" @@ -3618,89 +3626,89 @@ msgstr "" "密码和附加码一并发送给第三方认证系统进行校验, 如:有的第三方认证系统,需要 密" "码+6位数字 完成认证" -#: settings/serializers/security.py:117 +#: settings/serializers/security.py:122 msgid "MFA in login page" msgstr "MFA 在登录页面输入" -#: settings/serializers/security.py:118 +#: settings/serializers/security.py:123 msgid "Eu security regulations(GDPR) require MFA to be on the login page" msgstr "欧盟数据安全法规(GDPR) 要求 MFA 在登录页面,来确保系统登录安全" -#: settings/serializers/security.py:121 +#: settings/serializers/security.py:126 msgid "Enable Login captcha" msgstr "启用登录验证码" -#: settings/serializers/security.py:122 +#: settings/serializers/security.py:127 msgid "Enable captcha to prevent robot authentication" msgstr "开启验证码,防止机器人登录" -#: settings/serializers/security.py:142 +#: settings/serializers/security.py:147 msgid "Enable terminal register" msgstr "终端注册" -#: settings/serializers/security.py:144 +#: settings/serializers/security.py:149 msgid "" "Allow terminal register, after all terminal setup, you should disable this " "for security" msgstr "是否允许终端注册,当所有终端启动后,为了安全应该关闭" -#: settings/serializers/security.py:148 +#: settings/serializers/security.py:153 msgid "Enable watermark" msgstr "开启水印" -#: settings/serializers/security.py:149 +#: settings/serializers/security.py:154 msgid "Enabled, the web session and replay contains watermark information" msgstr "启用后,Web 会话和录像将包含水印信息" -#: settings/serializers/security.py:153 +#: settings/serializers/security.py:158 msgid "Connection max idle time" msgstr "连接最大空闲时间" -#: settings/serializers/security.py:154 +#: settings/serializers/security.py:159 msgid "If idle time more than it, disconnect connection Unit: minute" msgstr "提示:如果超过该配置没有操作,连接会被断开 (单位:分)" -#: settings/serializers/security.py:157 +#: settings/serializers/security.py:162 msgid "Remember manual auth" msgstr "保存手动输入密码" -#: settings/serializers/security.py:160 +#: settings/serializers/security.py:165 msgid "Enable change auth secure mode" msgstr "启用改密安全模式" -#: settings/serializers/security.py:163 +#: settings/serializers/security.py:168 msgid "Insecure command alert" msgstr "危险命令告警" -#: settings/serializers/security.py:166 +#: settings/serializers/security.py:171 msgid "Email recipient" msgstr "邮件收件人" -#: settings/serializers/security.py:167 +#: settings/serializers/security.py:172 msgid "Multiple user using , split" msgstr "多个用户,使用 , 分割" -#: settings/serializers/security.py:170 +#: settings/serializers/security.py:175 msgid "Batch command execution" msgstr "批量命令执行" -#: settings/serializers/security.py:171 +#: settings/serializers/security.py:176 msgid "Allow user run batch command or not using ansible" msgstr "是否允许用户使用 ansible 执行批量命令" -#: settings/serializers/security.py:174 +#: settings/serializers/security.py:179 msgid "Session share" msgstr "会话分享" -#: settings/serializers/security.py:175 +#: settings/serializers/security.py:180 msgid "Enabled, Allows user active session to be shared with other users" msgstr "开启后允许用户分享已连接的资产会话给它人,协同工作" -#: settings/serializers/security.py:178 +#: settings/serializers/security.py:183 msgid "Remote Login Protection" msgstr "异地登录保护" -#: settings/serializers/security.py:180 +#: settings/serializers/security.py:185 msgid "" "The system determines whether the login IP address belongs to a common login " "city. If the account is logged in from a common login city, the system sends " diff --git a/apps/settings/serializers/security.py b/apps/settings/serializers/security.py index 6463cdff2..fb96b3502 100644 --- a/apps/settings/serializers/security.py +++ b/apps/settings/serializers/security.py @@ -42,6 +42,11 @@ class SecurityAuthSerializer(serializers.Serializer): ), required=False, label=_("Global MFA auth") ) + SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY = serializers.BooleanField( + required=False, default=True, + label=_('Third-party login users perform MFA authentication'), + help_text=_('The third-party login modes include OIDC, CAS, and SAML2'), + ) SECURITY_LOGIN_LIMIT_COUNT = serializers.IntegerField( min_value=3, max_value=99999, label=_('Limit the number of user login failures')