1.添加:首次绑定动态身份认证器成功后，不允许再次绑定

2.管理员可解绑用户的动态身份证认证器 3.重置密码时会自动删除老的动态身份证认证器(用户在个人主页上修改不会删除)
2018-09-20 10:32:45 +08:00 · 2018-09-20 10:32:45 +08:00 · cd0e6fa3a8
parent 371e328674
commit cd0e6fa3a8
7 changed files with 65 additions and 3 deletions
--- a/server/www/teleport/static/js/tp-const.js
+++ b/server/www/teleport/static/js/tp-const.js
@ -212,6 +212,7 @@ var TPE_CAPTCHA_EXPIRED = 10000;
 var TPE_CAPTCHA_MISMATCH = 10001;
 var TPE_OATH_MISMATCH = 10002;
 var TPE_SYS_MAINTENANCE = 10003;
+var TPE_OATH_ALREADY_BIND = 10004;

 var TPE_USER_LOCKED = 10100;
 var TPE_USER_DISABLED = 10101;
@ -314,6 +315,10 @@ function tp_error_msg(error_code, message) {
        case  TPE_SYS_MAINTENANCE:
            msg = '系统维护中';
            break;
+        
+        case TPE_OATH_ALREADY_BIND:
+            msg = '该账号已经绑定了身份验证器，如无法使用，请联系管理员重置密码或更换登陆方式';
+            break;

        case TPE_USER_LOCKED:
            msg = '账号已被锁定';
--- a/server/www/teleport/static/js/user/bind-oath.js
+++ b/server/www/teleport/static/js/user/bind-oath.js
@ -182,7 +182,7 @@ $app.on_auth_user = function () {
    }

    $app.dom.auth.btn_submit.attr('disabled', 'disabled');
-    $tp.ajax_post_json('/user/verify-user', {username: str_username, password: str_password},
+    $tp.ajax_post_json('/user/verify-user', {username: str_username, password: str_password, check_bind_oath: true},
        function (ret) {
            $app.dom.auth.btn_submit.removeAttr('disabled');
            if (ret.code === TPE_OK) {
--- a/server/www/teleport/static/js/user/user-list.js
+++ b/server/www/teleport/static/js/user/user-list.js
@ -203,6 +203,8 @@ $app.on_table_users_cell_created = function (tbl, row_id, col_key, cell_obj) {
                $app.dlg_edit_user.show_edit(row_id);
            } else if (action === 'reset-password') {
                $app.dlg_reset_password.show_edit(row_id);
+            } else if (action === 'reset-oath-bind') {
+                $app._reset_oath_bind(user.id);
            } else if (action === 'lock') {
                $app._lock_users([user.id]);
            } else if (action === 'unlock') {
@ -349,6 +351,7 @@ $app.on_table_users_render_created = function (render) {

        h.push('<li role="separator" class="divider"></li>');
        h.push('<li><a href="javascript:;" data-action="reset-password"><i class="fa fa-street-view fa-fw"></i> 重置密码</a></li>');
+        h.push('<li><a href="javascript:;" data-action="reset-oath-bind"><i class="fa fa-street-view fa-fw"></i> 重置身份验证器</a></li>');
        h.push('<li role="separator" class="divider"></li>');
        h.push('<li><a href="javascript:;" data-action="remove"><i class="fa fa-times-circle fa-fw"></i> 删除</a></li>');
        h.push('</ul>');
@ -547,6 +550,21 @@ $app.set_selected_to_role = function (role_id, role_name) {

 };

+$app._reset_oath_bind = function (users) {
+    $tp.ajax_post_json('/user/do-unbind-oath', {users: users},
+        function (ret) {
+            if (ret.code === TPE_OK) {
+                $tp.notify_success('重置身份验证器操作成功！');
+            } else {
+                $tp.notify_error('重置身份验证器操作失败：' + tp_error_msg(ret.code, ret.message));
+            }
+        },
+        function () {
+            $tp.notify_error('网络故障，重置身份验证器操作失败！');
+        }
+    );
+};
+
 $app._lock_users = function (users) {
    $tp.ajax_post_json('/user/update-users', {action: 'lock', users: users},
        function (ret) {
--- a/server/www/teleport/webroot/app/const.py
+++ b/server/www/teleport/webroot/app/const.py
@ -198,6 +198,7 @@ TPE_CAPTCHA_EXPIRED = 10000
 TPE_CAPTCHA_MISMATCH = 10001
 TPE_OATH_MISMATCH = 10002
 TPE_SYS_MAINTENANCE = 10003
+TPE_OATH_ALREADY_BIND = 10004 

 TPE_USER_LOCKED = 10100
 TPE_USER_DISABLED = 10101
--- a/server/www/teleport/webroot/app/controller/init.py
+++ b/server/www/teleport/webroot/app/controller/init.py
@ -78,6 +78,8 @@ controllers = [
    (r'/user/verify-user', user.DoVerifyUserHandler),
    #  - [json] 绑定身份认证器
    (r'/user/do-bind-oath', user.DoBindOathHandler),
+    #  - 取消绑定身份认证器
+    (r'/user/do-unbind-oath', user.DoUnBindOathHandler),  
    #
    #  - 用户组管理页面
    (r'/user/group', user.GroupListHandler),
--- a/server/www/teleport/webroot/app/controller/user.py
+++ b/server/www/teleport/webroot/app/controller/user.py
@ -144,7 +144,12 @@ class DoVerifyUserHandler(TPBaseJsonHandler):
        except:
            return self.write_json(TPE_PARAM)

-        err, user_info = user.login(self, username, password=password)
+        try:
+            check_bind_oath = args['check_bind_oath']
+        except:
+            check_bind_oath = False
+
+        err, user_info = user.login(self, username, password=password, check_bind_oath=check_bind_oath)
        if err != TPE_OK:
            if err == TPE_NOT_EXISTS:
                err = TPE_USER_AUTH
@ -190,6 +195,28 @@ class DoBindOathHandler(TPBaseJsonHandler):

        return self.write_json(TPE_OK)

+class DoUnBindOathHandler(TPBaseJsonHandler):
+    def post(self):
+        ret = self.check_privilege(TP_PRIVILEGE_USER_DELETE)
+        if ret != TPE_OK:
+            return
+
+        args = self.get_argument('args', None)
+        if args is None:
+            return self.write_json(TPE_PARAM)
+        try:
+            args = json.loads(args)
+        except:
+            return self.write_json(TPE_JSON_FORMAT)
+
+        try:
+            users = args['users']
+        except:
+            return self.write_json(TPE_PARAM)
+
+        # 把oath设置为空就是去掉oath验证
+        err = user.update_oath_secret(self, users, '')
+        self.write_json(err)

 class OathSecretQrCodeHandler(TPBaseHandler):
    def get(self):
@ -752,6 +779,11 @@ class DoResetPasswordHandler(TPBaseJsonHandler):
            if mode == 4 and err == TPE_OK:
                user.remove_reset_token(token)

+            # 非用户自行修改密码的情况，都默认重置身份认证
+            if mode != 5 and err == TPE_OK:
+                print("reset oath secret")
+                user.update_oath_secret(self, user_id, '')
+
            self.write_json(err)

        else:
--- a/server/www/teleport/webroot/app/model/user.py
+++ b/server/www/teleport/webroot/app/model/user.py
@ -49,7 +49,7 @@ def get_by_username(username):
    return TPE_OK, s.recorder[0]


-def login(handler, username, password=None, oath_code=None):
+def login(handler, username, password=None, oath_code=None, check_bind_oath=False):
    sys_cfg = tp_cfg().sys

    err, user_info = get_by_username(username)
@ -62,6 +62,10 @@ def login(handler, username, password=None, oath_code=None):
        # 尚未为此用户设置角色
        return TPE_PRIVILEGE, None

+    if  check_bind_oath == True and len(user_info['oath_secret']) != 0:
+        return TPE_OATH_ALREADY_BIND, None
+
+
    if user_info['state'] == TP_STATE_LOCKED:
        # 用户已经被锁定，如果系统配置为一定时间后自动解锁，则更新一下用户信息
        if sys_cfg.login.lock_timeout != 0: