refactor(authentication): 密码解密抽取成方法

4 years ago · 962ea67b84
parent 31720c9dcc
commit 962ea67b84
3 changed files with 32 additions and 16 deletions
--- a/apps/authentication/const.py
+++ b/apps/authentication/const.py
@ -0,0 +1,2 @@
+RSA_PRIVATE_KEY = 'rsa_private_key'
+RSA_PUBLIC_KEY = 'rsa_public_key'
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@ -16,6 +16,7 @@ from users.utils import (
 from . import errors
 from .utils import rsa_decrypt
 from .signals import post_auth_success, post_auth_failed
+from .const import RSA_PRIVATE_KEY

 logger = get_logger(__name__)

@ -55,7 +56,19 @@ class AuthMixin:
            logger.warn('Ip was blocked' + ': ' + username + ':' + ip)
            raise errors.BlockLoginError(username=username, ip=ip)

-    def check_user_auth(self):
+    def decrypt_passwd(self, raw_passwd):
+        # 获取解密密钥，对密码进行解密
+        rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
+        if rsa_private_key is not None:
+            try:
+                return rsa_decrypt(raw_passwd, rsa_private_key)
+            except Exception as e:
+                logger.error(e, exc_info=True)
+                logger.error(f'Decrypt password faild: password[{raw_passwd}] rsa_private_key[{rsa_private_key}]')
+                return None
+        return raw_passwd
+
+    def check_user_auth(self, decrypt_passwd=False):
        self.check_is_block()
        request = self.request
        if hasattr(request, 'data'):
@ -70,14 +83,9 @@ class AuthMixin:

        CredentialError = partial(errors.CredentialError, username=username, ip=ip, request=request)

-        # 获取解密密钥，对密码进行解密
-        rsa_private_key = request.session.get('rsa_private_key')
-        if rsa_private_key is not None:
-            try:
-                password = rsa_decrypt(password, rsa_private_key)
-            except Exception as e:
-                logger.error(e, exc_info=True)
-                logger.error('Need decrypt password => {}'.format(password))
+        if decrypt_passwd:
+            password = self.decrypt_passwd(password)
+            if not password:
                raise CredentialError(error=errors.reason_password_decrypt_failed)

        user = authenticate(request,
@ -119,14 +127,14 @@ class AuthMixin:

            raise errors.PasswdTooSimple(f'{flash_page_url}?{query_str}')

-    def check_user_auth_if_need(self):
+    def check_user_auth_if_need(self, decrypt_passwd=False):
        request = self.request
        if request.session.get('auth_password') and \
                request.session.get('user_id'):
            user = self.get_user_from_session()
            if user:
                return user
-        return self.check_user_auth()
+        return self.check_user_auth(decrypt_passwd=decrypt_passwd)

    def check_user_mfa_if_need(self, user):
        if self.request.session.get('auth_mfa'):
--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@ -22,6 +22,7 @@ from common.utils import get_request_ip, get_object_or_none
 from users.utils import (
    redirect_user_first_login_or_index
 )
+from ..const import RSA_PRIVATE_KEY, RSA_PUBLIC_KEY
 from .. import mixins, errors, utils
 from ..forms import get_user_login_form_cls

@ -82,7 +83,7 @@ class UserLoginView(mixins.AuthMixin, FormView):
        if not self.request.session.test_cookie_worked():
            return HttpResponse(_("Please enable cookies and try again."))
        try:
-            self.check_user_auth()
+            self.check_user_auth(decrypt_passwd=True)
        except errors.AuthFailedError as e:
            form.add_error(None, e.msg)
            ip = self.get_request_ip()
@ -94,6 +95,7 @@ class UserLoginView(mixins.AuthMixin, FormView):
            return self.render_to_response(context)
        except errors.PasswdTooSimple as e:
            return redirect(e.url)
+        self.clear_rsa_key()
        return self.redirect_to_guard_view()

    def redirect_to_guard_view(self):
@ -110,15 +112,19 @@ class UserLoginView(mixins.AuthMixin, FormView):
        else:
            return get_user_login_form_cls()

+    def clear_rsa_key(self):
+        self.request.session[RSA_PRIVATE_KEY] = None
+        self.request.session[RSA_PUBLIC_KEY] = None
+
    def get_context_data(self, **kwargs):
        # 生成加解密密钥对，public_key传递给前端，private_key存入session中供解密使用
-        rsa_private_key = self.request.session.get('rsa_private_key')
-        rsa_public_key = self.request.session.get('rsa_public_key')
+        rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
+        rsa_public_key = self.request.session.get(RSA_PUBLIC_KEY)
        if not all((rsa_private_key, rsa_public_key)):
            rsa_private_key, rsa_public_key = utils.gen_key_pair()
            rsa_public_key = rsa_public_key.replace('\n', '\\n')
-            self.request.session['rsa_private_key'] = rsa_private_key
-            self.request.session['rsa_public_key'] = rsa_public_key
+            self.request.session[RSA_PRIVATE_KEY] = rsa_private_key
+            self.request.session[RSA_PUBLIC_KEY] = rsa_public_key

        context = {
            'demo_mode': os.environ.get("DEMO_MODE"),