mirror of https://github.com/jumpserver/jumpserver
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
283 lines
9.4 KiB
283 lines
9.4 KiB
# -*- coding: utf-8 -*- |
|
# |
|
from celery import shared_task |
|
from django.conf import settings |
|
from django.contrib.auth.signals import user_logged_out |
|
from django.db.models.signals import post_save |
|
from django.dispatch import receiver |
|
from django.utils.translation import gettext_lazy as _ |
|
from django_auth_ldap.backend import populate_user |
|
from django_cas_ng.signals import cas_user_authenticated |
|
|
|
from audits.models import UserSession |
|
from authentication.backends.oauth2.signals import oauth2_create_or_update_user |
|
from authentication.backends.oidc.signals import openid_create_or_update_user |
|
from authentication.backends.radius.signals import radius_create_user |
|
from authentication.backends.saml2.signals import saml2_create_or_update_user |
|
from common.const.crontab import CRONTAB_AT_AM_TWO |
|
from common.decorators import on_transaction_commit |
|
from common.sessions.cache import user_session_manager |
|
from common.signals import django_ready |
|
from common.utils import get_logger |
|
from jumpserver.utils import get_current_request |
|
from ops.celery.decorator import register_as_period_task |
|
from orgs.models import Organization |
|
from orgs.utils import tmp_to_root_org |
|
from rbac.builtin import BuiltinRole |
|
from rbac.const import Scope |
|
from rbac.models import RoleBinding |
|
from settings.signals import setting_changed |
|
from .models import User, UserPasswordHistory, UserGroup |
|
from .signals import post_user_create |
|
|
|
logger = get_logger(__file__) |
|
|
|
|
|
def check_only_allow_exist_user_auth(created): |
|
if created and settings.ONLY_ALLOW_EXIST_USER_AUTH: |
|
request = get_current_request() |
|
request.user_need_delete = True |
|
request.error_message = _( |
|
'''The administrator has enabled "Only allow existing users to log in", |
|
and the current user is not in the user list. Please contact the administrator.''' |
|
) |
|
return False |
|
return True |
|
|
|
|
|
def user_authenticated_handle(user, created, source, attrs=None, **kwargs): |
|
if not check_only_allow_exist_user_auth(created): |
|
return |
|
|
|
if created: |
|
user.source = source |
|
user.save() |
|
|
|
if created: |
|
org_ids = bind_user_to_org_role(user) |
|
if isinstance(attrs, dict): |
|
group_names = attrs.get('groups') |
|
bind_user_to_group(org_ids, group_names, user) |
|
|
|
if not attrs: |
|
return |
|
|
|
always_update = getattr(settings, 'AUTH_%s_ALWAYS_UPDATE_USER' % source.upper(), False) |
|
if not created and always_update: |
|
attr_whitelist = ('user', 'username', 'email', 'phone', 'comment') |
|
logger.debug( |
|
"Receive {} user updated signal: {}, " |
|
"Update user info: {}," |
|
"(Update only properties in the whitelist. [{}])" |
|
"".format(source, user, str(attrs), ','.join(attr_whitelist)) |
|
) |
|
for key, value in attrs.items(): |
|
if key in attr_whitelist and value: |
|
setattr(user, key, value) |
|
user.save() |
|
|
|
|
|
@receiver(post_save, sender=User) |
|
def save_passwd_change(sender, instance: User, **kwargs): |
|
if instance.source != User.Source.local.value or not instance.password: |
|
return |
|
|
|
passwords = UserPasswordHistory.objects \ |
|
.filter(user=instance) \ |
|
.order_by('-date_created') \ |
|
.values_list('password', flat=True)[:settings.OLD_PASSWORD_HISTORY_LIMIT_COUNT] |
|
|
|
if instance.password not in list(passwords): |
|
UserPasswordHistory.objects.create( |
|
user=instance, password=instance.password, |
|
date_created=instance.date_password_last_updated |
|
) |
|
|
|
|
|
def update_role_superuser_if_need(user): |
|
if not user._update_superuser: |
|
return |
|
value = user._is_superuser |
|
if value: |
|
user.system_roles.add_role_system_admin() |
|
else: |
|
user.system_roles.remove_role_system_admin() |
|
|
|
|
|
@receiver(post_save, sender=User) |
|
@on_transaction_commit |
|
def on_user_create_set_default_system_role(sender, instance, created, **kwargs): |
|
update_role_superuser_if_need(instance) |
|
if not created: |
|
return |
|
has_system_role = instance.system_roles.all().exists() |
|
if not has_system_role: |
|
logger.debug("Receive user create signal, set default role") |
|
instance.system_roles.add_role_system_user() |
|
|
|
|
|
@receiver(post_user_create) |
|
def on_user_create(sender, user=None, **kwargs): |
|
logger.debug("Receive user `{}` create signal".format(user.name)) |
|
from .utils import send_user_created_mail |
|
logger.info(" - Sending welcome mail ...".format(user.name)) |
|
request = get_current_request() |
|
password_strategy = getattr(request, 'password_strategy', '') |
|
if user.can_send_created_mail() and password_strategy == 'email': |
|
send_user_created_mail(user) |
|
|
|
|
|
@receiver(cas_user_authenticated) |
|
def on_cas_user_authenticated(sender, user, created, **kwargs): |
|
source = user.Source.cas.value |
|
user_authenticated_handle(user, created, source) |
|
|
|
|
|
@receiver(saml2_create_or_update_user) |
|
def on_saml2_create_or_update_user(sender, user, created, attrs, **kwargs): |
|
source = user.Source.saml2.value |
|
user_authenticated_handle(user, created, source, attrs, **kwargs) |
|
|
|
|
|
@receiver(oauth2_create_or_update_user) |
|
def on_oauth2_create_or_update_user(sender, user, created, attrs, **kwargs): |
|
source = user.Source.oauth2.value |
|
user_authenticated_handle(user, created, source, attrs, **kwargs) |
|
|
|
|
|
@receiver(radius_create_user) |
|
def radius_create_user(sender, user, **kwargs): |
|
user.source = user.Source.radius.value |
|
user.save() |
|
bind_user_to_org_role(user) |
|
|
|
|
|
@receiver(openid_create_or_update_user) |
|
def on_openid_create_or_update_user(sender, request, user, created, attrs, **kwargs): |
|
if not check_only_allow_exist_user_auth(created): |
|
return |
|
|
|
if created: |
|
logger.debug( |
|
"Receive OpenID user created signal: {}, " |
|
"Set user source is: {}".format(user, User.Source.openid.value) |
|
) |
|
user.source = User.Source.openid.value |
|
user.save() |
|
org_ids = bind_user_to_org_role(user) |
|
group_names = attrs.get('groups') |
|
bind_user_to_group(org_ids, group_names, user) |
|
|
|
name = attrs.get('name') |
|
username = attrs.get('username') |
|
email = attrs.get('email') |
|
|
|
if not created and settings.AUTH_OPENID_ALWAYS_UPDATE_USER: |
|
logger.debug( |
|
"Receive OpenID user updated signal: {}, " |
|
"Update user info: {}" |
|
"".format(user, "name: {}|username: {}|email: {}".format(name, username, email)) |
|
) |
|
user.name = name |
|
user.username = username |
|
user.email = email |
|
user.save() |
|
|
|
|
|
@receiver(populate_user) |
|
def on_ldap_create_user(sender, user, ldap_user, **kwargs): |
|
if user and user.username not in ['admin']: |
|
exists = User.objects.filter(username=user.username).exists() |
|
if not exists: |
|
user.source = user.Source.ldap.value |
|
user.save() |
|
|
|
|
|
@shared_task( |
|
verbose_name=_('Clean up expired user sessions'), |
|
description=_( |
|
"""After logging in via the web, a user session record is created. At 2 a.m. every day, |
|
the system cleans up inactive user devices""" |
|
) |
|
) |
|
@register_as_period_task(crontab=CRONTAB_AT_AM_TWO) |
|
def clean_expired_user_session_period(): |
|
UserSession.clear_expired_sessions() |
|
|
|
|
|
@receiver(user_logged_out) |
|
def user_logged_out_callback(sender, request, user, **kwargs): |
|
session_key = request.session.session_key |
|
user_session_manager.remove(session_key) |
|
UserSession.objects.filter(key=session_key).delete() |
|
|
|
|
|
@receiver(setting_changed) |
|
@on_transaction_commit |
|
def on_auth_setting_changed_clear_source_choice(sender, name='', **kwargs): |
|
if name.startswith('AUTH_'): |
|
User._source_choices = [] |
|
|
|
|
|
@receiver(django_ready) |
|
def on_django_ready_refresh_source(sender, **kwargs): |
|
User._source_choices = [] |
|
|
|
|
|
def bind_user_to_org_role(user): |
|
source = user.source.upper() |
|
org_ids = getattr(settings, f"{source}_ORG_IDS", None) |
|
|
|
if not org_ids: |
|
logger.error(f"User {user} has no {source} orgs") |
|
return |
|
|
|
org_role_ids = [BuiltinRole.org_user.id] |
|
|
|
bindings = [ |
|
RoleBinding( |
|
user=user, org_id=org_id, scope=Scope.org, |
|
role_id=role_id, |
|
) |
|
for role_id in org_role_ids |
|
for org_id in org_ids |
|
] |
|
|
|
RoleBinding.objects.bulk_create(bindings, ignore_conflicts=True) |
|
return org_ids |
|
|
|
|
|
def bind_user_to_group(org_ids, group_names, user): |
|
if isinstance(group_names, str): |
|
group_names = [group_names] |
|
|
|
if not isinstance(group_names, list): |
|
return |
|
|
|
org_ids = org_ids or [Organization.DEFAULT_ID] |
|
|
|
with tmp_to_root_org(): |
|
existing_groups = UserGroup.objects.filter(org_id__in=org_ids).values_list('org_id', 'name') |
|
|
|
org_groups_map = {} |
|
for org_id, group_name in existing_groups: |
|
org_groups_map.setdefault(org_id, []).append(group_name) |
|
|
|
groups_to_create = [] |
|
for org_id in org_ids: |
|
existing_group_names = set(org_groups_map.get(org_id, [])) |
|
new_group_names = set(group_names) - existing_group_names |
|
groups_to_create.extend( |
|
UserGroup(org_id=org_id, name=name) for name in new_group_names |
|
) |
|
|
|
UserGroup.objects.bulk_create(groups_to_create) |
|
|
|
user_groups = UserGroup.objects.filter(org_id__in=org_ids, name__in=group_names) |
|
|
|
user_group_links = [ |
|
User.groups.through(user_id=user.id, usergroup_id=group.id) |
|
for group in user_groups |
|
] |
|
if user_group_links: |
|
User.groups.through.objects.bulk_create(user_group_links)
|
|
|