From 962ea67b8410c7c09d97f266f929ed94df9c705d Mon Sep 17 00:00:00 2001
From: xinwen <coderWen@126.com>
Date: Wed, 12 Aug 2020 15:54:06 +0800
Subject: [PATCH] =?UTF-8?q?refactor(authentication):=20=E5=AF=86=E7=A0=81?=
 =?UTF-8?q?=E8=A7=A3=E5=AF=86=E6=8A=BD=E5=8F=96=E6=88=90=E6=96=B9=E6=B3=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/const.py       |  2 ++
 apps/authentication/mixins.py      | 30 +++++++++++++++++++-----------
 apps/authentication/views/login.py | 16 +++++++++++-----
 3 files changed, 32 insertions(+), 16 deletions(-)
 create mode 100644 apps/authentication/const.py

diff --git a/apps/authentication/const.py b/apps/authentication/const.py
new file mode 100644
index 000000000..f5cf56471
--- /dev/null
+++ b/apps/authentication/const.py
@@ -0,0 +1,2 @@
+RSA_PRIVATE_KEY = 'rsa_private_key'
+RSA_PUBLIC_KEY = 'rsa_public_key'
diff --git a/apps/authentication/mixins.py b/apps/authentication/mixins.py
index 23ddac3cf..38a8a852c 100644
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@@ -16,6 +16,7 @@ from users.utils import (
 from . import errors
 from .utils import rsa_decrypt
 from .signals import post_auth_success, post_auth_failed
+from .const import RSA_PRIVATE_KEY
 
 logger = get_logger(__name__)
 
@@ -55,7 +56,19 @@ class AuthMixin:
             logger.warn('Ip was blocked' + ': ' + username + ':' + ip)
             raise errors.BlockLoginError(username=username, ip=ip)
 
-    def check_user_auth(self):
+    def decrypt_passwd(self, raw_passwd):
+        # 获取解密密钥，对密码进行解密
+        rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
+        if rsa_private_key is not None:
+            try:
+                return rsa_decrypt(raw_passwd, rsa_private_key)
+            except Exception as e:
+                logger.error(e, exc_info=True)
+                logger.error(f'Decrypt password faild: password[{raw_passwd}] rsa_private_key[{rsa_private_key}]')
+                return None
+        return raw_passwd
+
+    def check_user_auth(self, decrypt_passwd=False):
         self.check_is_block()
         request = self.request
         if hasattr(request, 'data'):
@@ -70,14 +83,9 @@ class AuthMixin:
 
         CredentialError = partial(errors.CredentialError, username=username, ip=ip, request=request)
 
-        # 获取解密密钥，对密码进行解密
-        rsa_private_key = request.session.get('rsa_private_key')
-        if rsa_private_key is not None:
-            try:
-                password = rsa_decrypt(password, rsa_private_key)
-            except Exception as e:
-                logger.error(e, exc_info=True)
-                logger.error('Need decrypt password => {}'.format(password))
+        if decrypt_passwd:
+            password = self.decrypt_passwd(password)
+            if not password:
                 raise CredentialError(error=errors.reason_password_decrypt_failed)
 
         user = authenticate(request,
@@ -119,14 +127,14 @@ class AuthMixin:
 
             raise errors.PasswdTooSimple(f'{flash_page_url}?{query_str}')
 
-    def check_user_auth_if_need(self):
+    def check_user_auth_if_need(self, decrypt_passwd=False):
         request = self.request
         if request.session.get('auth_password') and \
                 request.session.get('user_id'):
             user = self.get_user_from_session()
             if user:
                 return user
-        return self.check_user_auth()
+        return self.check_user_auth(decrypt_passwd=decrypt_passwd)
 
     def check_user_mfa_if_need(self, user):
         if self.request.session.get('auth_mfa'):
diff --git a/apps/authentication/views/login.py b/apps/authentication/views/login.py
index d6331aa82..5493ac3c7 100644
--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@@ -22,6 +22,7 @@ from common.utils import get_request_ip, get_object_or_none
 from users.utils import (
     redirect_user_first_login_or_index
 )
+from ..const import RSA_PRIVATE_KEY, RSA_PUBLIC_KEY
 from .. import mixins, errors, utils
 from ..forms import get_user_login_form_cls
 
@@ -82,7 +83,7 @@ class UserLoginView(mixins.AuthMixin, FormView):
         if not self.request.session.test_cookie_worked():
             return HttpResponse(_("Please enable cookies and try again."))
         try:
-            self.check_user_auth()
+            self.check_user_auth(decrypt_passwd=True)
         except errors.AuthFailedError as e:
             form.add_error(None, e.msg)
             ip = self.get_request_ip()
@@ -94,6 +95,7 @@ class UserLoginView(mixins.AuthMixin, FormView):
             return self.render_to_response(context)
         except errors.PasswdTooSimple as e:
             return redirect(e.url)
+        self.clear_rsa_key()
         return self.redirect_to_guard_view()
 
     def redirect_to_guard_view(self):
@@ -110,15 +112,19 @@ class UserLoginView(mixins.AuthMixin, FormView):
         else:
             return get_user_login_form_cls()
 
+    def clear_rsa_key(self):
+        self.request.session[RSA_PRIVATE_KEY] = None
+        self.request.session[RSA_PUBLIC_KEY] = None
+
     def get_context_data(self, **kwargs):
         # 生成加解密密钥对，public_key传递给前端，private_key存入session中供解密使用
-        rsa_private_key = self.request.session.get('rsa_private_key')
-        rsa_public_key = self.request.session.get('rsa_public_key')
+        rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
+        rsa_public_key = self.request.session.get(RSA_PUBLIC_KEY)
         if not all((rsa_private_key, rsa_public_key)):
             rsa_private_key, rsa_public_key = utils.gen_key_pair()
             rsa_public_key = rsa_public_key.replace('\n', '\\n')
-            self.request.session['rsa_private_key'] = rsa_private_key
-            self.request.session['rsa_public_key'] = rsa_public_key
+            self.request.session[RSA_PRIVATE_KEY] = rsa_private_key
+            self.request.session[RSA_PUBLIC_KEY] = rsa_public_key
 
         context = {
             'demo_mode': os.environ.get("DEMO_MODE"),