feat: 增加系统设置(安全)控制第三方认证用户是否进行MFA认证

apps/authentication/signals_handlers.py

@@ -17,7 +17,9 @@ from .signals import post_auth_success, post_auth_failed
 @receiver(user_logged_in)
 def on_user_auth_login_success(sender, user, request, **kwargs):
     # 开启了 MFA，且没有校验过, 可以全局校验, middleware 中可以全局管理 oidc 等第三方认证的 MFA
-    if user.mfa_enabled and not request.session.get('auth_mfa'):
+    if settings.SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY \
+            and user.mfa_enabled \
+            and not request.session.get('auth_mfa'):
         request.session['auth_mfa_required'] = 1
 
     # 单点登录，超过了自动退出

apps/jumpserver/conf.py

@@ -312,6 +312,7 @@ class Config(dict):
 
         # 安全配置
         'SECURITY_MFA_AUTH': 0,  # 0 不开启 1 全局开启 2 管理员开启
+        'SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY': True,
         'SECURITY_COMMAND_EXECUTION': True,
         'SECURITY_SERVICE_ACCOUNT_REGISTRATION': True,
         'SECURITY_VIEW_AUTH_NEED_MFA': True,

apps/jumpserver/settings/custom.py

@@ -32,6 +32,7 @@ TERMINAL_REPLAY_STORAGE = CONFIG.TERMINAL_REPLAY_STORAGE
 
 # Security settings
 SECURITY_MFA_AUTH = CONFIG.SECURITY_MFA_AUTH
+SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY = CONFIG.SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY
 SECURITY_MAX_IDLE_TIME = CONFIG.SECURITY_MAX_IDLE_TIME  # Unit: minute
 SECURITY_COMMAND_EXECUTION = CONFIG.SECURITY_COMMAND_EXECUTION
 SECURITY_PASSWORD_EXPIRATION_TIME = CONFIG.SECURITY_PASSWORD_EXPIRATION_TIME  # Unit: day

apps/locale/zh/LC_MESSAGES/django.mo

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:39ab4c9155d1dfdd83f8c8037a70af28bcf06d2a75fd129fe77edab2f761ea5f
+oid sha256:8a421482ff4103a9c3ca895b29e739c2cef0dc10a4f9914bfe7226fa3c45cac4
-size 97367
+size 97592

apps/locale/zh/LC_MESSAGES/django.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-02-08 11:43+0800\n"
+"POT-Creation-Date: 2022-02-08 17:40+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -825,11 +825,11 @@ msgstr "忽略大小写"
 msgid "Command filter rule"
 msgstr "命令过滤规则"
 
-#: assets/models/cmd_filter.py:141
+#: assets/models/cmd_filter.py:144
 msgid "The generated regular expression is incorrect: {}"
 msgstr "生成的正则表达式有误"
 
-#: assets/models/cmd_filter.py:167 tickets/const.py:13
+#: assets/models/cmd_filter.py:170 tickets/const.py:13
 msgid "Command confirm"
 msgstr "命令复核"
 
@@ -3525,34 +3525,42 @@ msgid "Global MFA auth"
 msgstr "全局启用 MFA 认证"
 
 #: settings/serializers/security.py:47
+msgid "Third-party login users perform MFA authentication"
+msgstr "第三方登录用户进行MFA认证"
+
+#: settings/serializers/security.py:48
+msgid "The third-party login modes include OIDC, CAS, and SAML2"
+msgstr "第三方登录方式包括: OIDC、CAS、SAML2"
+
+#: settings/serializers/security.py:52
 msgid "Limit the number of user login failures"
 msgstr "限制用户登录失败次数"
 
-#: settings/serializers/security.py:51
+#: settings/serializers/security.py:56
 msgid "Block user login interval"
 msgstr "禁止用户登录时间间隔"
 
-#: settings/serializers/security.py:56
+#: settings/serializers/security.py:61
 msgid "Limit the number of IP login failures"
 msgstr "限制 IP 登录失败次数"
 
-#: settings/serializers/security.py:60
+#: settings/serializers/security.py:65
 msgid "Block IP login interval"
 msgstr "禁止 IP 登录时间间隔"
 
-#: settings/serializers/security.py:64
+#: settings/serializers/security.py:69
 msgid "Login IP White List"
 msgstr "IP 登录白名单"
 
-#: settings/serializers/security.py:69
+#: settings/serializers/security.py:74
 msgid "Login IP Black List"
 msgstr "IP 登录黑名单"
 
-#: settings/serializers/security.py:75
+#: settings/serializers/security.py:80
 msgid "User password expiration"
 msgstr "用户密码过期时间"
 
-#: settings/serializers/security.py:77
+#: settings/serializers/security.py:82
 msgid ""
 "Unit: day, If the user does not update the password during the time, the "
 "user password will expire failure;The password expiration reminder mail will "
@@ -3562,55 +3570,55 @@ msgstr ""
 "单位：天, 如果用户在此期间没有更新密码，用户密码将过期失效； 密码过期提醒邮件"
 "将在密码过期前5天内由系统（每天）自动发送给用户"
 
-#: settings/serializers/security.py:84
+#: settings/serializers/security.py:89
 msgid "Number of repeated historical passwords"
 msgstr "不能设置近几次密码"
 
-#: settings/serializers/security.py:86
+#: settings/serializers/security.py:91
 msgid ""
 "Tip: When the user resets the password, it cannot be the previous n "
 "historical passwords of the user"
 msgstr "提示：用户重置密码时，不能为该用户前几次使用过的密码"
 
-#: settings/serializers/security.py:91
+#: settings/serializers/security.py:96
 msgid "Only single device login"
 msgstr "仅一台设备登录"
 
-#: settings/serializers/security.py:92
+#: settings/serializers/security.py:97
 msgid "Next device login, pre login will be logout"
 msgstr "下个设备登录，上次登录会被顶掉"
 
-#: settings/serializers/security.py:95
+#: settings/serializers/security.py:100
 msgid "Only exist user login"
 msgstr "仅已存在用户登录"
 
-#: settings/serializers/security.py:96
+#: settings/serializers/security.py:101
 msgid "If enable, CAS、OIDC auth will be failed, if user not exist yet"
 msgstr "开启后，如果系统中不存在该用户，CAS、OIDC 登录将会失败"
 
-#: settings/serializers/security.py:99
+#: settings/serializers/security.py:104
 msgid "Only from source login"
 msgstr "仅从用户来源登录"
 
-#: settings/serializers/security.py:100
+#: settings/serializers/security.py:105
 msgid "Only log in from the user source property"
 msgstr "开启后，如果用户来源为本地，CAS、OIDC 登录将会失败"
 
-#: settings/serializers/security.py:104
+#: settings/serializers/security.py:109
 msgid "MFA verify TTL"
 msgstr "MFA 校验有效期"
 
-#: settings/serializers/security.py:106
+#: settings/serializers/security.py:111
 msgid ""
 "Unit: second, The verification MFA takes effect only when you view the "
 "account password"
 msgstr "单位: 秒, 目前仅在查看账号密码校验 MFA 时生效"
 
-#: settings/serializers/security.py:111
+#: settings/serializers/security.py:116
 msgid "Enable Login dynamic code"
 msgstr "启用登录附加码"
 
-#: settings/serializers/security.py:112
+#: settings/serializers/security.py:117
 msgid ""
 "The password and additional code are sent to a third party authentication "
 "system for verification"
@@ -3618,89 +3626,89 @@ msgstr ""
 "密码和附加码一并发送给第三方认证系统进行校验, 如：有的第三方认证系统，需要 密"
 "码+6位数字 完成认证"
 
-#: settings/serializers/security.py:117
+#: settings/serializers/security.py:122
 msgid "MFA in login page"
 msgstr "MFA 在登录页面输入"
 
-#: settings/serializers/security.py:118
+#: settings/serializers/security.py:123
 msgid "Eu security regulations(GDPR) require MFA to be on the login page"
 msgstr "欧盟数据安全法规(GDPR) 要求 MFA 在登录页面，来确保系统登录安全"
 
-#: settings/serializers/security.py:121
+#: settings/serializers/security.py:126
 msgid "Enable Login captcha"
 msgstr "启用登录验证码"
 
-#: settings/serializers/security.py:122
+#: settings/serializers/security.py:127
 msgid "Enable captcha to prevent robot authentication"
 msgstr "开启验证码，防止机器人登录"
 
-#: settings/serializers/security.py:142
+#: settings/serializers/security.py:147
 msgid "Enable terminal register"
 msgstr "终端注册"
 
-#: settings/serializers/security.py:144
+#: settings/serializers/security.py:149
 msgid ""
 "Allow terminal register, after all terminal setup, you should disable this "
 "for security"
 msgstr "是否允许终端注册，当所有终端启动后，为了安全应该关闭"
 
-#: settings/serializers/security.py:148
+#: settings/serializers/security.py:153
 msgid "Enable watermark"
 msgstr "开启水印"
 
-#: settings/serializers/security.py:149
+#: settings/serializers/security.py:154
 msgid "Enabled, the web session and replay contains watermark information"
 msgstr "启用后，Web 会话和录像将包含水印信息"
 
-#: settings/serializers/security.py:153
+#: settings/serializers/security.py:158
 msgid "Connection max idle time"
 msgstr "连接最大空闲时间"
 
-#: settings/serializers/security.py:154
+#: settings/serializers/security.py:159
 msgid "If idle time more than it, disconnect connection Unit: minute"
 msgstr "提示：如果超过该配置没有操作，连接会被断开 （单位：分）"
 
-#: settings/serializers/security.py:157
+#: settings/serializers/security.py:162
 msgid "Remember manual auth"
 msgstr "保存手动输入密码"
 
-#: settings/serializers/security.py:160
+#: settings/serializers/security.py:165
 msgid "Enable change auth secure mode"
 msgstr "启用改密安全模式"
 
-#: settings/serializers/security.py:163
+#: settings/serializers/security.py:168
 msgid "Insecure command alert"
 msgstr "危险命令告警"
 
-#: settings/serializers/security.py:166
+#: settings/serializers/security.py:171
 msgid "Email recipient"
 msgstr "邮件收件人"
 
-#: settings/serializers/security.py:167
+#: settings/serializers/security.py:172
 msgid "Multiple user using , split"
 msgstr "多个用户，使用 , 分割"
 
-#: settings/serializers/security.py:170
+#: settings/serializers/security.py:175
 msgid "Batch command execution"
 msgstr "批量命令执行"
 
-#: settings/serializers/security.py:171
+#: settings/serializers/security.py:176
 msgid "Allow user run batch command or not using ansible"
 msgstr "是否允许用户使用 ansible 执行批量命令"
 
-#: settings/serializers/security.py:174
+#: settings/serializers/security.py:179
 msgid "Session share"
 msgstr "会话分享"
 
-#: settings/serializers/security.py:175
+#: settings/serializers/security.py:180
 msgid "Enabled, Allows user active session to be shared with other users"
 msgstr "开启后允许用户分享已连接的资产会话给它人，协同工作"
 
-#: settings/serializers/security.py:178
+#: settings/serializers/security.py:183
 msgid "Remote Login Protection"
 msgstr "异地登录保护"
 
-#: settings/serializers/security.py:180
+#: settings/serializers/security.py:185
 msgid ""
 "The system determines whether the login IP address belongs to a common login "
 "city. If the account is logged in from a common login city, the system sends "

apps/settings/serializers/security.py

@@ -42,6 +42,11 @@ class SecurityAuthSerializer(serializers.Serializer):
         ),
         required=False, label=_("Global MFA auth")
     )
+    SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY = serializers.BooleanField(
+        required=False, default=True,
+        label=_('Third-party login users perform MFA authentication'),
+        help_text=_('The third-party login modes include OIDC, CAS, and SAML2'),
+    )
     SECURITY_LOGIN_LIMIT_COUNT = serializers.IntegerField(
         min_value=3, max_value=99999,
         label=_('Limit the number of user login failures')