From 84aab7b0affaf382cea1a9396e44ef8e10e45e1e Mon Sep 17 00:00:00 2001 From: Apex Liu Date: Tue, 15 Jan 2019 02:50:49 +0800 Subject: [PATCH] ..try fix: password expired. --- server/www/teleport/static/js/auth/login.js | 10 +- server/www/teleport/static/js/tp-const.js | 5 +- .../www/teleport/static/js/user/bind-oath.js | 135 ---------- .../static/js/user/change-expired-password.js | 238 ++++++++++++++++++ .../view/user/change-expired-password.mako | 100 ++++++++ .../webroot/app/controller/__init__.py | 2 + .../teleport/webroot/app/controller/auth.py | 5 +- .../teleport/webroot/app/controller/user.py | 14 +- server/www/teleport/webroot/app/model/user.py | 78 +++--- 9 files changed, 410 insertions(+), 177 deletions(-) create mode 100644 server/www/teleport/static/js/user/change-expired-password.js create mode 100644 server/www/teleport/view/user/change-expired-password.mako diff --git a/server/www/teleport/static/js/auth/login.js b/server/www/teleport/static/js/auth/login.js index 653cd5b..8cbba09 100644 --- a/server/www/teleport/static/js/auth/login.js +++ b/server/www/teleport/static/js/auth/login.js @@ -157,7 +157,7 @@ $app.login_account = function () { } } else if ($app.login_type === TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH) { var test_oath = '' + parseInt(str_oath); - if(str_oath.length === 6) { + if (str_oath.length === 6) { for (; ;) { if (test_oath.length < 6) test_oath = '0' + test_oath; @@ -216,8 +216,14 @@ $app.do_account_login = function (username, password, captcha, oath, is_remember window.location.href = $app.options.ref; } else { $app.hide_op_box(); - $app.show_op_box('error', '登录失败:' + tp_error_msg(ret.code, ret.message)); $app.dom.captcha_image.attr('src', '/auth/captcha?h=36&rnd=' + Math.random()); + + if (ret.code === TPE_EXPIRED) { + // must change password before login. + window.location.href = '/user/change-expired-password?username=' + username; + } + + $app.show_op_box('error', '登录失败:' + tp_error_msg(ret.code, ret.message)); console.log(ret); } diff --git a/server/www/teleport/static/js/tp-const.js b/server/www/teleport/static/js/tp-const.js index dce5738..fbb4d53 100755 --- a/server/www/teleport/static/js/tp-const.js +++ b/server/www/teleport/static/js/tp-const.js @@ -285,6 +285,9 @@ function tp_error_msg(error_code, message) { case TPE_DATABASE: msg = '数据库操作失败'; break; + case TPE_EXPIRED: + msg = '已过期'; + break; //------------------------------------------------------- // HTTP请求相关错误 @@ -329,7 +332,7 @@ function tp_error_msg(error_code, message) { break; case TPE_OATH_ALREADY_BIND: - msg = '该账号已经绑定了身份验证器,如无法使用,请联系管理员重置密码或更换登陆方式'; + msg = '该账号已经绑定了身份验证器,如无法使用,请联系管理员重置密码或更换登录方式'; break; case TPE_USER_LOCKED: diff --git a/server/www/teleport/static/js/user/bind-oath.js b/server/www/teleport/static/js/user/bind-oath.js index 9e9b588..738ed9e 100755 --- a/server/www/teleport/static/js/user/bind-oath.js +++ b/server/www/teleport/static/js/user/bind-oath.js @@ -262,138 +262,3 @@ $app.on_save = function () { } ); }; - -// $app.on_send_find_password_email = function () { -// $app.hide_op_box(); -// var str_username = $app.dom.find.input_username.val(); -// var str_email = $app.dom.find.input_email.val(); -// var str_captcha = $app.dom.find.input_captcha.val(); -// -// if (str_username.length === 0) { -// $app.show_op_box('error', '账号未填写!'); -// $app.dom.find.input_username.attr('data-content', "请填写您的账号!").focus().popover('show'); -// return; -// } -// -// if (str_email.length === 0) { -// $app.show_op_box('error', '电子邮件地址未填写!'); -// $app.dom.find.input_email.attr('data-content', "请填写您的电子邮件地址!").focus().popover('show'); -// return; -// } -// -// if (!tp_is_email(str_email)) { -// $app.show_op_box('error', '无效的电子邮件地址!'); -// $app.dom.find.input_email.attr('data-content', "请检查输入的电子邮件地址!").focus().popover('show'); -// return; -// } -// -// if (str_captcha.length !== 4) { -// $app.show_op_box('error', '验证码错误!'); -// $app.dom.find.input_captcha.attr('data-content', "验证码为4位数字和字母的组合,请重新填写!").focus().select().popover('show'); -// return; -// } -// -// $app.dom.find.btn_submit.attr('disabled', 'disabled'); -// $tp.ajax_post_json('/auth/verify-captcha', {captcha: str_captcha}, -// function (ret) { -// if (ret.code === TPE_OK) { -// // 验证成功 -// $app.hide_op_box(); -// $app.show_op_box('wait', ' 正在发送密码重置确认函,请稍候...'); -// $app.do_send_reset_email(str_username, str_email, str_captcha); -// } -// else { -// $app.dom.find.btn_submit.removeAttr('disabled'); -// $app.hide_op_box(); -// $app.show_op_box('error', tp_error_msg(ret.code, ret.message)); -// $app.dom.captcha_image.attr('src', '/auth/captcha?h=28&rnd=' + Math.random()); -// $app.dom.input_captcha.focus().select().val(''); -// } -// }, -// function () { -// $app.hide_op_box(); -// $app.show_op_box('error', '很抱歉,无法连接服务器!请稍后再试一次!'); -// $app.dom.find.btn_submit.removeAttr('disabled'); -// } -// ); -// }; -// -// $app.do_send_reset_email = function (str_username, str_email, str_captcha) { -// $tp.ajax_post_json('/user/do-reset-password', { -// mode: 3, -// username: str_username, -// email: str_email, -// captcha: str_captcha -// }, -// function (ret) { -// if (ret.code === TPE_OK) { -// $app.dom.find.btn_submit.slideUp('fast'); -// $app.show_op_box('success', '密码重置确认函已发送,请注意查收!'); -// } else { -// $app.dom.find.btn_submit.removeAttr('disabled'); -// $app.hide_op_box(); -// var msg = ''; -// if (ret.code === TPE_NOT_EXISTS) -// msg = tp_error_msg(ret.code, '用户不存在,请检查输入的用户和电子邮件地址是否匹配!'); -// else -// msg = tp_error_msg(ret.code, ret.message); -// $app.show_op_box('error', msg); -// } -// }, -// function () { -// $app.dom.find.btn_submit.removeAttr('disabled'); -// $app.hide_op_box(); -// $app.show_op_box('error', '网络故障,密码重置确认函发送失败!'); -// }, -// 15000 -// ); -// }; -// -// $app.on_set_new_password = function () { -// $app.hide_op_box(); -// var str_password = $app.dom.set_password.input_password.val(); -// -// if (str_password.length === 0) { -// $app.show_op_box('error', '密码未填写!'); -// $app.dom.set_password.input_password.attr('data-content', "请设置您的新密码!").focus().popover('show'); -// return; -// } -// -// if ($app.options.force_strong) { -// if (!tp_check_strong_password(str_password)) { -// $app.show_op_box('error', tp_error_msg(TPE_FAILED, '抱歉,不能使用弱密码!')); -// $app.dom.set_password.input_password.attr('data-content', "请设置强密码:至少8位,必须包含大写字母、小写字母以及数字!").focus().popover('show'); -// return; -// } -// } -// -// $tp.ajax_post_json('/user/do-reset-password', { -// mode: 4, -// token: $app.options.token, -// password: str_password -// }, -// function (ret) { -// $app.dom.find.btn_submit.removeAttr('disabled'); -// if (ret.code === TPE_OK) { -// $app.show_op_box('success', '密码已重置,正在转到登录界面!'); -// setTimeout(function () { -// window.location.href = '/'; -// }, 2000); -// } else { -// var msg = ''; -// if (ret.code === TPE_NOT_EXISTS) -// msg = tp_error_msg(ret.code, '无效的密码重置链接!'); -// else -// msg = tp_error_msg(ret.code, ret.message); -// $app.show_op_box('error', msg); -// } -// }, -// function () { -// $app.dom.find.btn_submit.removeAttr('disabled'); -// $app.hide_op_box(); -// $app.show_op_box('error', '网络故障,密码重置失败!'); -// } -// ); -// }; - - diff --git a/server/www/teleport/static/js/user/change-expired-password.js b/server/www/teleport/static/js/user/change-expired-password.js new file mode 100644 index 0000000..ec4dc2f --- /dev/null +++ b/server/www/teleport/static/js/user/change-expired-password.js @@ -0,0 +1,238 @@ +"use strict"; + +$app.on_init = function (cb_stack) { + $app.dom = { + title: $('#title'), + icon_bg: $('#icon-bg'), + + op_message: $('#message'), + + error: { + area: $('#area-error'), + message: $('#area-error [data-field="message"]') + }, + + txt_username: $('#txt-username'), + txt_password: $('#txt-password'), + txt_new_password: $('#txt-new-password'), + btn_switch_password: $('#btn-switch-password'), + icon_switch_password: $('#icon-switch-password'), + txt_captcha: $('#txt-captcha'), + img_captcha: $('#img-captcha'), + btn_submit: $('#btn-submit'), + + info: $('#info'), + + find: { + area: $('#area-find-password'), + input_email: $('#area-find-password [data-field="input-email"]'), + input_captcha: $('#area-find-password [data-field="input-captcha"]'), + btn_submit: $('#area-find-password [data-field="btn-submit"]'), + message: $('#area-find-password [data-field="message"]') + }, + + set_password: { + area: $('#area-set-password'), + info: $('#area-set-password [data-field="info"]'), + input_password: $('#area-set-password [data-field="input-password"]'), + btn_switch_password: $('#area-set-password [data-field="btn-switch-password"]'), + btn_switch_password_icon: $('#area-set-password [data-field="btn-switch-password"] i'), + message: $('#area-set-password [data-field="message"]') + } + }; + + $app.dom.img_captcha.attr('src', '/auth/captcha?h=28&rnd=' + Math.random()); + $app.dom.txt_password.focus(); + $app.dom.txt_username.val($app.options.username); + if ($app.options.force_strong) + $app.dom.info.show(); + + $app.dom.img_captcha.click(function () { + $(this).attr('src', '/auth/captcha?h=28&rnd=' + Math.random()); + $app.dom.txt_captcha.focus().val(''); + }); + + $app.dom.btn_submit.click(function () { + $app.on_change_password(); + }); + + $app.dom.txt_password.keydown(function (event) { + if (event.which === 13) { + $app.dom.txt_new_password.focus(); + } else { + $app.hide_op_box(); + $('[data-toggle="popover"]').popover('hide'); + } + }); + $app.dom.txt_new_password.keydown(function (event) { + if (event.which === 13) { + $app.dom.txt_captcha.focus(); + } else { + $app.hide_op_box(); + $('[data-toggle="popover"]').popover('hide'); + } + }); + $app.dom.txt_captcha.keydown(function (event) { + if (event.which === 13) { + $app.on_change_password(); + } else { + $app.hide_op_box(); + $('[data-toggle="popover"]').popover('hide'); + } + }); + + $app.dom.btn_switch_password.click(function () { + if ('password' === $app.dom.txt_new_password.attr('type')) { + $app.dom.txt_new_password.attr('type', 'text'); + $app.dom.icon_switch_password.removeClass('fa-eye').addClass('fa-eye-slash') + } else { + $app.dom.txt_new_password.attr('type', 'password'); + $app.dom.icon_switch_password.removeClass('fa-eye-slash').addClass('fa-eye') + } + }); + + cb_stack.exec(); +}; + +$app.hide_op_box = function () { + $app.dom.op_message.hide(); +}; + +$app.show_op_box = function (op_type, op_msg) { + $app.dom.op_message.html(op_msg); + $app.dom.op_message.removeClass().addClass('op_box op_' + op_type); + $app.dom.op_message.show(); +}; + +$app.on_send_find_password_email = function () { + $app.hide_op_box(); + var str_username = $app.dom.find.input_username.val(); + var str_email = $app.dom.find.input_email.val(); + var str_captcha = $app.dom.find.input_captcha.val(); + + if (str_username.length === 0) { + $app.show_op_box('error', '用户名未填写!'); + $app.dom.find.input_username.attr('data-content', "请填写您的用户名!").focus().popover('show'); + return; + } + + if (str_email.length === 0) { + $app.show_op_box('error', '电子邮件地址未填写!'); + $app.dom.find.input_email.attr('data-content', "请填写您的电子邮件地址!").focus().popover('show'); + return; + } + + if (!tp_is_email(str_email)) { + $app.show_op_box('error', '无效的电子邮件地址!'); + $app.dom.find.input_email.attr('data-content', "请检查输入的电子邮件地址!").focus().popover('show'); + return; + } + + if (str_captcha.length !== 4) { + $app.show_op_box('error', '验证码错误!'); + $app.dom.find.input_captcha.attr('data-content', "验证码为4位数字和字母的组合,请重新填写!").focus().select().popover('show'); + return; + } + + $app.dom.find.btn_submit.attr('disabled', 'disabled'); + $tp.ajax_post_json('/auth/verify-captcha', {captcha: str_captcha}, + function (ret) { + if (ret.code === TPE_OK) { + // 验证成功 + $app.hide_op_box(); + $app.show_op_box('wait', ' 正在发送密码重置确认函,请稍候...'); + $app.do_send_reset_email(str_username, str_email, str_captcha); + } + else { + $app.dom.find.btn_submit.removeAttr('disabled'); + $app.hide_op_box(); + $app.show_op_box('error', tp_error_msg(ret.code, ret.message)); + $app.dom.captcha_image.attr('src', '/auth/captcha?h=28&rnd=' + Math.random()); + $app.dom.input_captcha.focus().select().val(''); + } + }, + function () { + $app.hide_op_box(); + $app.show_op_box('error', '很抱歉,无法连接服务器!请稍后再试一次!'); + $app.dom.find.btn_submit.removeAttr('disabled'); + } + ); +}; + +$app.do_send_reset_email = function (str_username, str_email, str_captcha) { + $tp.ajax_post_json('/user/do-reset-password', { + mode: 3, + username: str_username, + email: str_email, + captcha: str_captcha + }, + function (ret) { + if (ret.code === TPE_OK) { + $app.dom.find.btn_submit.slideUp('fast'); + $app.show_op_box('success', '密码重置确认函已发送,请注意查收!'); + } else { + $app.dom.find.btn_submit.removeAttr('disabled'); + $app.hide_op_box(); + var msg = ''; + if (ret.code === TPE_NOT_EXISTS) + msg = tp_error_msg(ret.code, '用户不存在,请检查输入的用户和电子邮件地址是否匹配!'); + else + msg = tp_error_msg(ret.code, ret.message); + $app.show_op_box('error', msg); + } + }, + function () { + $app.dom.find.btn_submit.removeAttr('disabled'); + $app.hide_op_box(); + $app.show_op_box('error', '网络故障,密码重置确认函发送失败!'); + }, + 15000 + ); +}; + +$app.on_set_new_password = function () { + $app.hide_op_box(); + var str_password = $app.dom.set_password.input_password.val(); + + if (str_password.length === 0) { + $app.show_op_box('error', '密码未填写!'); + $app.dom.set_password.input_password.attr('data-content', "请设置您的新密码!").focus().popover('show'); + return; + } + + if ($app.options.force_strong) { + if (!tp_check_strong_password(str_password)) { + $app.show_op_box('error', tp_error_msg(TPE_FAILED, '抱歉,不能使用弱密码!')); + $app.dom.set_password.input_password.attr('data-content', "请设置强密码:至少8位,必须包含大写字母、小写字母以及数字!").focus().popover('show'); + return; + } + } + + $tp.ajax_post_json('/user/do-reset-password', { + mode: 4, + token: $app.options.token, + password: str_password + }, + function (ret) { + $app.dom.find.btn_submit.removeAttr('disabled'); + if (ret.code === TPE_OK) { + $app.show_op_box('success', '密码已重置,正在转到登录界面!'); + setTimeout(function () { + window.location.href = '/'; + }, 2000); + } else { + var msg = ''; + if (ret.code === TPE_NOT_EXISTS) + msg = tp_error_msg(ret.code, '无效的密码重置链接!'); + else + msg = tp_error_msg(ret.code, ret.message); + $app.show_op_box('error', msg); + } + }, + function () { + $app.dom.find.btn_submit.removeAttr('disabled'); + $app.hide_op_box(); + $app.show_op_box('error', '网络故障,密码重置失败!'); + } + ); +}; diff --git a/server/www/teleport/view/user/change-expired-password.mako b/server/www/teleport/view/user/change-expired-password.mako new file mode 100644 index 0000000..5b2f1f5 --- /dev/null +++ b/server/www/teleport/view/user/change-expired-password.mako @@ -0,0 +1,100 @@ +<%! + page_title_ = '修改过期密码' +%> +<%inherit file="../page_single_base.mako"/> + +<%block name="extend_js_file"> + + + +<%block name="embed_css"> + + + +<%block name="page_header"> +
+
+
+
    +
  1. 修改过期密码
    2. +
+
+
+## + + +
+
+
+ +
+
+
密码已过期
+
+
+ +
+
+
+
+ + +
+ +
+ + +
+ +
+ + + +
+ +
+ + + +
+

验证码,点击图片可更换

+ +
+ + +
+ +
+
+
+

您的登陆密码已过期,根据系统设置,在您修改密码之前,将无法登陆TELEPORT系统。

+
+ +
+
+ +
+
+
+
+
+ +<%block name="embed_js"> + + diff --git a/server/www/teleport/webroot/app/controller/__init__.py b/server/www/teleport/webroot/app/controller/__init__.py index 22b44bf..ca48d37 100755 --- a/server/www/teleport/webroot/app/controller/__init__.py +++ b/server/www/teleport/webroot/app/controller/__init__.py @@ -66,6 +66,8 @@ controllers = [ (r'/user/get-users', user.DoGetUsersHandler), # - 用户重设密码页面 /auth/reset-password (r'/user/reset-password', user.ResetPasswordHandler), + # - 用户密码过期,修改密码页面 /auth/change-password + (r'/user/change-expired-password', user.ChangeExpiredPasswordHandler), # - [json] 重置密码 (r'/user/do-reset-password', user.DoResetPasswordHandler), # - 用户绑定OATH diff --git a/server/www/teleport/webroot/app/controller/auth.py b/server/www/teleport/webroot/app/controller/auth.py index 91c2416..2ca9d2a 100644 --- a/server/www/teleport/webroot/app/controller/auth.py +++ b/server/www/teleport/webroot/app/controller/auth.py @@ -115,12 +115,13 @@ class DoLoginHandler(TPBaseJsonHandler): syslog.sys_log({'username': '???', 'surname': '???'}, self.request.remote_ip, TPE_NOT_EXISTS, '登录失败,可能是攻击行为。试图使用用户名 {} 进行登录。'.format(username)) return self.write_json(err) - err, user_info = user.login(self, username, password=password, oath_code=oath) + err, user_info, msg = user.login(self, username, password=password, oath_code=oath) if err != TPE_OK: if err == TPE_NOT_EXISTS: err = TPE_USER_AUTH + msg = '用户名或密码错误' syslog.sys_log({'username': '???', 'surname': '???'}, self.request.remote_ip, TPE_NOT_EXISTS, '登录失败,用户`{}`不存在'.format(username)) - return self.write_json(err) + return self.write_json(err, msg) # 判断此用户是否被允许使用当前登录认证方式 auth_type = user_info.auth_type diff --git a/server/www/teleport/webroot/app/controller/user.py b/server/www/teleport/webroot/app/controller/user.py index 16106ea..6b1de44 100755 --- a/server/www/teleport/webroot/app/controller/user.py +++ b/server/www/teleport/webroot/app/controller/user.py @@ -114,6 +114,16 @@ class ResetPasswordHandler(TPBaseHandler): self.render('user/reset-password.mako', page_param=json.dumps(param)) +class ChangeExpiredPasswordHandler(TPBaseHandler): + def get(self): + _username = self.get_argument('username', None) + if _username is None: + return self.redirect('/') + + param = {'username': _username, 'force_strong': tp_cfg().sys.password.force_strong} + self.render('user/change-expired-password.mako', page_param=json.dumps(param)) + + class BindOathHandler(TPBaseHandler): def get(self): self.render('user/bind-oath.mako') @@ -147,7 +157,7 @@ class DoVerifyUserHandler(TPBaseJsonHandler): except: check_bind_oath = False - err, user_info = user.login(self, username, password=password, check_bind_oath=check_bind_oath) + err, user_info, msg = user.login(self, username, password=password, check_bind_oath=check_bind_oath) if err != TPE_OK: if err == TPE_NOT_EXISTS: err = TPE_USER_AUTH @@ -173,7 +183,7 @@ class DoBindOathHandler(TPBaseJsonHandler): except: return self.write_json(TPE_PARAM) - err, user_info = user.login(self, username, password=password) + err, user_info, msg = user.login(self, username, password=password) if err != TPE_OK: if err == TPE_NOT_EXISTS: err = TPE_USER_AUTH diff --git a/server/www/teleport/webroot/app/model/user.py b/server/www/teleport/webroot/app/model/user.py index 11ef24d..a27db5b 100755 --- a/server/www/teleport/webroot/app/model/user.py +++ b/server/www/teleport/webroot/app/model/user.py @@ -56,20 +56,19 @@ def get_by_username(username): def login(handler, username, password=None, oath_code=None, check_bind_oath=False): sys_cfg = tp_cfg().sys + msg = '' err, user_info = get_by_username(username) if err != TPE_OK: - # if err == TPE_NOT_EXISTS: - # syslog.sys_log({'username': username, 'surname': username}, handler.request.remote_ip, TPE_NOT_EXISTS, - # '用户身份验证失败,用户`{}`不存在'.format(username)) - return err, None + return err, None, msg if user_info.privilege == 0: # 尚未为此用户设置角色 - return TPE_PRIVILEGE, None + msg = '登录失败,用户尚未分配权限' + return TPE_PRIVILEGE, None, msg if check_bind_oath and len(user_info['oath_secret']) != 0: - return TPE_OATH_ALREADY_BIND, None + return TPE_OATH_ALREADY_BIND, None, msg if user_info['state'] == TP_STATE_LOCKED: # 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息 @@ -78,14 +77,17 @@ def login(handler, username, password=None, oath_code=None, check_bind_oath=Fals user_info.fail_count = 0 user_info.state = TP_STATE_NORMAL if user_info['state'] == TP_STATE_LOCKED: - syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_LOCKED, '登录失败,用户已被临时锁定') - return TPE_USER_LOCKED, None + msg = '登录失败,用户已被临时锁定' + syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_LOCKED, msg) + return TPE_USER_LOCKED, None, msg elif user_info['state'] == TP_STATE_DISABLED: - syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED, '登录失败,用户已被禁用') - return TPE_USER_DISABLED, None + msg = '登录失败,用户已被禁用' + syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED, msg) + return TPE_USER_DISABLED, None, msg elif user_info['state'] != TP_STATE_NORMAL: - syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, '登录失败,用户状态异常') - return TPE_FAILED, None + msg = '登录失败,用户状态异常' + syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, msg) + return TPE_FAILED, None, msg err_msg = '' if password is not None: @@ -94,28 +96,32 @@ def login(handler, username, password=None, oath_code=None, check_bind_oath=Fals if sys_cfg.password.timeout != 0: _time_now = tp_timestamp_utc_now() if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 * 60 * 24) < _time_now: - syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,用户密码已过期') - return TPE_USER_AUTH, None + msg = '登录失败,用户密码已过期' + syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) + return TPE_EXPIRED, None, msg if not tp_password_verify(password, user_info['password']): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定' - syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,密码错误{}'.format(err_msg)) - return TPE_USER_AUTH, None + msg = '登录失败,密码错误{}'.format(err_msg) + syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) + return TPE_USER_AUTH, None, msg elif user_info['type'] == TP_USER_TYPE_LDAP: try: if len(tp_cfg().sys_ldap_password) == 0: - syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置,需要管理员密码') - return TPE_USER_AUTH, None + msg = 'LDAP尚未配置' + syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) + return TPE_USER_AUTH, None, msg else: _ldap_password = tp_cfg().sys_ldap_password _ldap_server = tp_cfg().sys.ldap.server _ldap_port = tp_cfg().sys.ldap.port _ldap_base_dn = tp_cfg().sys.ldap.base_dn except: - syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置') - return TPE_USER_AUTH, None + msg = 'LDAP尚未正确配置' + syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) + return TPE_USER_AUTH, None, msg try: ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn) @@ -125,40 +131,42 @@ def login(handler, username, password=None, oath_code=None, check_bind_oath=Fals err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定' - syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, - 'LDAP用户登录失败,密码错误{}'.format(err_msg)) - return TPE_USER_AUTH, None + msg = 'LDAP用户验证失败{}'.format(err_msg) + syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) + return TPE_USER_AUTH, None, msg else: - syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, - 'LDAP用户登录失败,{}'.format(err_msg)) - return TPE_USER_AUTH, None + msg = 'LDAP用户登录失败,{}'.format(err_msg) + syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) + return TPE_USER_AUTH, None, msg except: - syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,发生内部错误') - return TPE_USER_AUTH, None + msg = 'LDAP用户登录失败,发生内部错误' + syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) + return TPE_USER_AUTH, None, msg else: - syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,系统内部错误') - return TPE_USER_AUTH, None + msg = '登录失败,系统内部错误' + syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) + return TPE_USER_AUTH, None, msg if oath_code is not None: # use oath if len(user_info['oath_secret']) == 0: - return TPE_OATH_MISMATCH, None + return TPE_OATH_MISMATCH, None, msg if not tp_oath_verify_code(user_info['oath_secret'], oath_code): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定!' - syslog.sys_log(user_info, handler.request.remote_ip, TPE_OATH_MISMATCH, - "登录失败,身份验证器动态验证码错误{}".format(err_msg)) - return TPE_OATH_MISMATCH, None + msg = '登录失败,身份验证器动态验证码错误{}'.format(err_msg) + syslog.sys_log(user_info, handler.request.remote_ip, TPE_OATH_MISMATCH, msg) + return TPE_OATH_MISMATCH, None, msg del user_info['password'] del user_info['oath_secret'] if len(user_info['surname']) == 0: user_info['surname'] = user_info['username'] - return TPE_OK, user_info + return TPE_OK, user_info, msg def get_users(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):