feat: 异地登录提醒可配置是否启用

2021-11-08 15:12:12 +08:00 · 2021-11-08 15:12:12 +08:00 · bac974b4f2
parent f9e970f4ed
commit bac974b4f2
6 changed files with 26 additions and 4 deletions
--- a/apps/audits/signals_handler.py
+++ b/apps/audits/signals_handler.py
@ -15,7 +15,7 @@ from rest_framework.request import Request

 from assets.models import Asset, SystemUser
 from authentication.signals import post_auth_failed, post_auth_success
-from authentication.utils import check_different_city_login
+from authentication.utils import check_different_city_login_if_need
 from jumpserver.utils import current_request
 from users.models import User
 from users.signals import post_user_change_password
@ -304,7 +304,7 @@ def generate_data(username, request, login_type=None):
@receiver(post_auth_success)
 def on_user_auth_success(sender, user, request, login_type=None, **kwargs):
    logger.debug('User login success: {}'.format(user.username))
-    check_different_city_login(user, request)
+    check_different_city_login_if_need(user, request)
    data = generate_data(user.username, request, login_type=login_type)
    data.update({'mfa': int(user.mfa_enabled), 'status': True})
    write_login_log(**data)
--- a/apps/authentication/utils.py
+++ b/apps/authentication/utils.py
@ -5,6 +5,7 @@ from Cryptodome.PublicKey import RSA
 from Cryptodome.Cipher import PKCS1_v1_5
 from Cryptodome import Random

+from django.conf import settings
 from .notifications import DifferentCityLoginMessage
 from audits.models import UserLoginLog
 from audits.const import DEFAULT_CITY
@ -51,7 +52,10 @@ def rsa_decrypt(cipher_text, rsa_private_key=None):
    return message


-def check_different_city_login(user, request):
+def check_different_city_login_if_need(user, request):
+    if not settings.SECURITY_CHECK_DIFFERENT_CITY_LOGIN:
+        return
+
    ip = get_request_ip(request) or '0.0.0.0'

    if not (ip and validate_ip(ip)):
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@ -311,6 +311,7 @@ class Config(dict):
        'SECURITY_WATERMARK_ENABLED': True,
        'SECURITY_MFA_VERIFY_TTL': 3600,
        'SECURITY_SESSION_SHARE': True,
+        'SECURITY_CHECK_DIFFERENT_CITY_LOGIN': True,
        'OLD_PASSWORD_HISTORY_LIMIT_COUNT': 5,
        'CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED': True,
        'USER_LOGIN_SINGLE_MACHINE_ENABLED': False,
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@ -61,6 +61,7 @@ SECURITY_DATA_CRYPTO_ALGO = CONFIG.SECURITY_DATA_CRYPTO_ALGO
 SECURITY_INSECURE_COMMAND = CONFIG.SECURITY_INSECURE_COMMAND
 SECURITY_INSECURE_COMMAND_LEVEL = CONFIG.SECURITY_INSECURE_COMMAND_LEVEL
 SECURITY_INSECURE_COMMAND_EMAIL_RECEIVER = CONFIG.SECURITY_INSECURE_COMMAND_EMAIL_RECEIVER
+SECURITY_CHECK_DIFFERENT_CITY_LOGIN = CONFIG.SECURITY_CHECK_DIFFERENT_CITY_LOGIN

 # Terminal other setting
 TERMINAL_PASSWORD_AUTH = CONFIG.TERMINAL_PASSWORD_AUTH
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2021-11-05 11:41+0800\n"
+"POT-Creation-Date: 2021-11-08 15:08+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@ -3416,6 +3416,17 @@ msgstr "会话分享"
 msgid "Enabled, Allows user active session to be shared with other users"
 msgstr "开启后允许用户分享已连接的资产会话给它人，协同工作"

+#: settings/serializers/security.py:144
+msgid "Remote Login Protection"
+msgstr "异地登录保护"
+
+#: settings/serializers/security.py:145
+msgid ""
+"The system determines whether the login IP address belongs to a common login "
+"city. If the account is logged in from a common login city, the system sends "
+"a remote login reminder"
+msgstr "根据登录IP是否所属常用登录城市进行判断，若账号在非常用城市登录，会发送异地登录提醒"
+
 #: settings/serializers/sms.py:7
 msgid "Label"
 msgstr "标签"
--- a/apps/settings/serializers/security.py
+++ b/apps/settings/serializers/security.py
@ -140,3 +140,8 @@ class SecuritySettingSerializer(SecurityPasswordRuleSerializer, SecurityAuthSeri
        required=True, label=_('Session share'),
        help_text=_("Enabled, Allows user active session to be shared with other users")
    )
+    SECURITY_CHECK_DIFFERENT_CITY_LOGIN = serializers.BooleanField(
+        required=False, label=_('Remote Login Protection'),
+        help_text=_('The system determines whether the login IP address belongs to a common login city. '
+                    'If the account is logged in from a common login city, the system sends a remote login reminder')
+    )