github
/
jumpserver
mirror of https://github.com/jumpserver/jumpserver
1
0
Fork 0
Code Issues Releases Wiki Activity

feat: 异地登录提醒可配置是否启用

pull/7153/head^2
xinwen 2021-11-08 15:12:12 +08:00 committed by 老广
parent f9e970f4ed
commit bac974b4f2
6 changed files with 26 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
apps/audits/signals_handler.py
View File

@ -15,7 +15,7 @@ from rest_framework.request import Request
from assets.models import Asset, SystemUser from assets.models import Asset, SystemUser
from authentication.signals import post_auth_failed, post_auth_success from authentication.signals import post_auth_failed, post_auth_success
from authentication.utils import check_different_city_login from authentication.utils import check_different_city_login_if_need
from jumpserver.utils import current_request from jumpserver.utils import current_request
from users.models import User from users.models import User
from users.signals import post_user_change_password from users.signals import post_user_change_password
@ -304,7 +304,7 @@ def generate_data(username, request, login_type=None):
@receiver(post_auth_success) @receiver(post_auth_success)
def on_user_auth_success(sender, user, request, login_type=None, **kwargs): def on_user_auth_success(sender, user, request, login_type=None, **kwargs):
logger.debug('User login success: {}'.format(user.username)) logger.debug('User login success: {}'.format(user.username))
check_different_city_login(user, request) check_different_city_login_if_need(user, request)
data = generate_data(user.username, request, login_type=login_type) data = generate_data(user.username, request, login_type=login_type)
data.update({'mfa': int(user.mfa_enabled), 'status': True}) data.update({'mfa': int(user.mfa_enabled), 'status': True})
write_login_log(**data) write_login_log(**data)

6
apps/authentication/utils.py
View File

@ -5,6 +5,7 @@ from Cryptodome.PublicKey import RSA
from Cryptodome.Cipher import PKCS1_v1_5 from Cryptodome.Cipher import PKCS1_v1_5
from Cryptodome import Random from Cryptodome import Random
from django.conf import settings
from .notifications import DifferentCityLoginMessage from .notifications import DifferentCityLoginMessage
from audits.models import UserLoginLog from audits.models import UserLoginLog
from audits.const import DEFAULT_CITY from audits.const import DEFAULT_CITY
@ -51,7 +52,10 @@ def rsa_decrypt(cipher_text, rsa_private_key=None):
return message return message
def check_different_city_login(user, request): def check_different_city_login_if_need(user, request):
if not settings.SECURITY_CHECK_DIFFERENT_CITY_LOGIN:
return
ip = get_request_ip(request) or '0.0.0.0' ip = get_request_ip(request) or '0.0.0.0'
if not (ip and validate_ip(ip)): if not (ip and validate_ip(ip)):

1
apps/jumpserver/conf.py
View File

@ -311,6 +311,7 @@ class Config(dict):
'SECURITY_WATERMARK_ENABLED': True, 'SECURITY_WATERMARK_ENABLED': True,
'SECURITY_MFA_VERIFY_TTL': 3600, 'SECURITY_MFA_VERIFY_TTL': 3600,
'SECURITY_SESSION_SHARE': True, 'SECURITY_SESSION_SHARE': True,
'SECURITY_CHECK_DIFFERENT_CITY_LOGIN': True,
'OLD_PASSWORD_HISTORY_LIMIT_COUNT': 5, 'OLD_PASSWORD_HISTORY_LIMIT_COUNT': 5,
'CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED': True, 'CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED': True,
'USER_LOGIN_SINGLE_MACHINE_ENABLED': False, 'USER_LOGIN_SINGLE_MACHINE_ENABLED': False,

1
apps/jumpserver/settings/custom.py
View File

@ -61,6 +61,7 @@ SECURITY_DATA_CRYPTO_ALGO = CONFIG.SECURITY_DATA_CRYPTO_ALGO
SECURITY_INSECURE_COMMAND = CONFIG.SECURITY_INSECURE_COMMAND SECURITY_INSECURE_COMMAND = CONFIG.SECURITY_INSECURE_COMMAND
SECURITY_INSECURE_COMMAND_LEVEL = CONFIG.SECURITY_INSECURE_COMMAND_LEVEL SECURITY_INSECURE_COMMAND_LEVEL = CONFIG.SECURITY_INSECURE_COMMAND_LEVEL
SECURITY_INSECURE_COMMAND_EMAIL_RECEIVER = CONFIG.SECURITY_INSECURE_COMMAND_EMAIL_RECEIVER SECURITY_INSECURE_COMMAND_EMAIL_RECEIVER = CONFIG.SECURITY_INSECURE_COMMAND_EMAIL_RECEIVER
SECURITY_CHECK_DIFFERENT_CITY_LOGIN = CONFIG.SECURITY_CHECK_DIFFERENT_CITY_LOGIN
# Terminal other setting # Terminal other setting
TERMINAL_PASSWORD_AUTH = CONFIG.TERMINAL_PASSWORD_AUTH TERMINAL_PASSWORD_AUTH = CONFIG.TERMINAL_PASSWORD_AUTH

13
apps/locale/zh/LC_MESSAGES/django.po
View File

@ -7,7 +7,7 @@ msgid ""
msgstr "" msgstr ""
"Project-Id-Version: JumpServer 0.3.3\n" "Project-Id-Version: JumpServer 0.3.3\n"
"Report-Msgid-Bugs-To: \n" "Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2021-11-05 11:41+0800\n" "POT-Creation-Date: 2021-11-08 15:08+0800\n"
"PO-Revision-Date: 2021-05-20 10:54+0800\n" "PO-Revision-Date: 2021-05-20 10:54+0800\n"
"Last-Translator: ibuler <ibuler@qq.com>\n" "Last-Translator: ibuler <ibuler@qq.com>\n"
"Language-Team: JumpServer team<ibuler@qq.com>\n" "Language-Team: JumpServer team<ibuler@qq.com>\n"
@ -3416,6 +3416,17 @@ msgstr "会话分享"
msgid "Enabled, Allows user active session to be shared with other users" msgid "Enabled, Allows user active session to be shared with other users"
msgstr "开启后允许用户分享已连接的资产会话给它人,协同工作" msgstr "开启后允许用户分享已连接的资产会话给它人,协同工作"
#: settings/serializers/security.py:144
msgid "Remote Login Protection"
msgstr "异地登录保护"
#: settings/serializers/security.py:145
msgid ""
"The system determines whether the login IP address belongs to a common login "
"city. If the account is logged in from a common login city, the system sends "
"a remote login reminder"
msgstr "根据登录IP是否所属常用登录城市进行判断若账号在非常用城市登录会发送异地登录提醒"
#: settings/serializers/sms.py:7 #: settings/serializers/sms.py:7
msgid "Label" msgid "Label"
msgstr "标签" msgstr "标签"

5
apps/settings/serializers/security.py
View File

@ -140,3 +140,8 @@ class SecuritySettingSerializer(SecurityPasswordRuleSerializer, SecurityAuthSeri
required=True, label=_('Session share'), required=True, label=_('Session share'),
help_text=_("Enabled, Allows user active session to be shared with other users") help_text=_("Enabled, Allows user active session to be shared with other users")
) )
SECURITY_CHECK_DIFFERENT_CITY_LOGIN = serializers.BooleanField(
required=False, label=_('Remote Login Protection'),
help_text=_('The system determines whether the login IP address belongs to a common login city. '
'If the account is logged in from a common login city, the system sends a remote login reminder')
)