github
/
jumpserver
mirror of https://github.com/jumpserver/jumpserver
1
0
Fork 0
Code Issues Releases Wiki Activity

refactor(authentication): 密码解密抽取成方法

pull/4483/head
xinwen 2020-08-12 15:54:06 +08:00 committed by 老广
parent 31720c9dcc
commit 962ea67b84
3 changed files with 32 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apps/authentication/const.py Normal file
View File

@ -0,0 +1,2 @@
RSA_PRIVATE_KEY = 'rsa_private_key'
RSA_PUBLIC_KEY = 'rsa_public_key'

30
apps/authentication/mixins.py
View File

@ -16,6 +16,7 @@ from users.utils import (
from . import errors from . import errors
from .utils import rsa_decrypt from .utils import rsa_decrypt
from .signals import post_auth_success, post_auth_failed from .signals import post_auth_success, post_auth_failed
from .const import RSA_PRIVATE_KEY
logger = get_logger(__name__) logger = get_logger(__name__)
@ -55,7 +56,19 @@ class AuthMixin:
logger.warn('Ip was blocked' + ': ' + username + ':' + ip) logger.warn('Ip was blocked' + ': ' + username + ':' + ip)
raise errors.BlockLoginError(username=username, ip=ip) raise errors.BlockLoginError(username=username, ip=ip)
def check_user_auth(self): def decrypt_passwd(self, raw_passwd):
# 获取解密密钥,对密码进行解密
rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
if rsa_private_key is not None:
try:
return rsa_decrypt(raw_passwd, rsa_private_key)
except Exception as e:
logger.error(e, exc_info=True)
logger.error(f'Decrypt password faild: password[{raw_passwd}] rsa_private_key[{rsa_private_key}]')
return None
return raw_passwd
def check_user_auth(self, decrypt_passwd=False):
self.check_is_block() self.check_is_block()
request = self.request request = self.request
if hasattr(request, 'data'): if hasattr(request, 'data'):
@ -70,14 +83,9 @@ class AuthMixin:
CredentialError = partial(errors.CredentialError, username=username, ip=ip, request=request) CredentialError = partial(errors.CredentialError, username=username, ip=ip, request=request)
# 获取解密密钥,对密码进行解密 if decrypt_passwd:
rsa_private_key = request.session.get('rsa_private_key') password = self.decrypt_passwd(password)
if rsa_private_key is not None: if not password:
try:
password = rsa_decrypt(password, rsa_private_key)
except Exception as e:
logger.error(e, exc_info=True)
logger.error('Need decrypt password => {}'.format(password))
raise CredentialError(error=errors.reason_password_decrypt_failed) raise CredentialError(error=errors.reason_password_decrypt_failed)
user = authenticate(request, user = authenticate(request,
@ -119,14 +127,14 @@ class AuthMixin:
raise errors.PasswdTooSimple(f'{flash_page_url}?{query_str}') raise errors.PasswdTooSimple(f'{flash_page_url}?{query_str}')
def check_user_auth_if_need(self): def check_user_auth_if_need(self, decrypt_passwd=False):
request = self.request request = self.request
if request.session.get('auth_password') and \ if request.session.get('auth_password') and \
request.session.get('user_id'): request.session.get('user_id'):
user = self.get_user_from_session() user = self.get_user_from_session()
if user: if user:
return user return user
return self.check_user_auth() return self.check_user_auth(decrypt_passwd=decrypt_passwd)
def check_user_mfa_if_need(self, user): def check_user_mfa_if_need(self, user):
if self.request.session.get('auth_mfa'): if self.request.session.get('auth_mfa'):

16
apps/authentication/views/login.py
View File

@ -22,6 +22,7 @@ from common.utils import get_request_ip, get_object_or_none
from users.utils import ( from users.utils import (
redirect_user_first_login_or_index redirect_user_first_login_or_index
) )
from ..const import RSA_PRIVATE_KEY, RSA_PUBLIC_KEY
from .. import mixins, errors, utils from .. import mixins, errors, utils
from ..forms import get_user_login_form_cls from ..forms import get_user_login_form_cls
@ -82,7 +83,7 @@ class UserLoginView(mixins.AuthMixin, FormView):
if not self.request.session.test_cookie_worked(): if not self.request.session.test_cookie_worked():
return HttpResponse(_("Please enable cookies and try again.")) return HttpResponse(_("Please enable cookies and try again."))
try: try:
self.check_user_auth() self.check_user_auth(decrypt_passwd=True)
except errors.AuthFailedError as e: except errors.AuthFailedError as e:
form.add_error(None, e.msg) form.add_error(None, e.msg)
ip = self.get_request_ip() ip = self.get_request_ip()
@ -94,6 +95,7 @@ class UserLoginView(mixins.AuthMixin, FormView):
return self.render_to_response(context) return self.render_to_response(context)
except errors.PasswdTooSimple as e: except errors.PasswdTooSimple as e:
return redirect(e.url) return redirect(e.url)
self.clear_rsa_key()
return self.redirect_to_guard_view() return self.redirect_to_guard_view()
def redirect_to_guard_view(self): def redirect_to_guard_view(self):
@ -110,15 +112,19 @@ class UserLoginView(mixins.AuthMixin, FormView):
else: else:
return get_user_login_form_cls() return get_user_login_form_cls()
def clear_rsa_key(self):
self.request.session[RSA_PRIVATE_KEY] = None
self.request.session[RSA_PUBLIC_KEY] = None
def get_context_data(self, **kwargs): def get_context_data(self, **kwargs):
# 生成加解密密钥对public_key传递给前端private_key存入session中供解密使用 # 生成加解密密钥对public_key传递给前端private_key存入session中供解密使用
rsa_private_key = self.request.session.get('rsa_private_key') rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
rsa_public_key = self.request.session.get('rsa_public_key') rsa_public_key = self.request.session.get(RSA_PUBLIC_KEY)
if not all((rsa_private_key, rsa_public_key)): if not all((rsa_private_key, rsa_public_key)):
rsa_private_key, rsa_public_key = utils.gen_key_pair() rsa_private_key, rsa_public_key = utils.gen_key_pair()
rsa_public_key = rsa_public_key.replace('\n', '\\n') rsa_public_key = rsa_public_key.replace('\n', '\\n')
self.request.session['rsa_private_key'] = rsa_private_key self.request.session[RSA_PRIVATE_KEY] = rsa_private_key
self.request.session['rsa_public_key'] = rsa_public_key self.request.session[RSA_PUBLIC_KEY] = rsa_public_key
context = { context = {
'demo_mode': os.environ.get("DEMO_MODE"), 'demo_mode': os.environ.get("DEMO_MODE"),