diff --git a/apps/common/sdk/sms/custom.py b/apps/common/sdk/sms/custom.py index 9dff52d00..33f993724 100644 --- a/apps/common/sdk/sms/custom.py +++ b/apps/common/sdk/sms/custom.py @@ -1,15 +1,12 @@ -import requests - from collections import OrderedDict +import requests from django.conf import settings -from common.utils import get_logger from common.exceptions import JMSException - +from common.utils import get_logger from .base import BaseSMSClient - logger = get_logger(__file__) @@ -38,7 +35,7 @@ class CustomSMS(BaseSMSClient): action = requests.get kwargs = {'params': params} try: - response = action(url=settings.CUSTOM_SMS_URL, verify=False, **kwargs) + response = action(url=settings.CUSTOM_SMS_URL, verify=settings.VERIFY_EXTERNAL_SSL, **kwargs) response.raise_for_status() except Exception as exc: logger.error('Custom sms error: {}'.format(exc)) diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py index d58b98cc3..39bff8ef3 100644 --- a/apps/jumpserver/conf.py +++ b/apps/jumpserver/conf.py @@ -222,6 +222,7 @@ class Config(dict): # Security 'X_FRAME_OPTIONS': 'DENY', + 'VERIFY_EXTERNAL_SSL': True, # 未使用的配置 'CAPTCHA_TEST_MODE': None, diff --git a/apps/jumpserver/rewriting/exchange.py b/apps/jumpserver/rewriting/exchange.py index 709e5558f..80699b8fb 100644 --- a/apps/jumpserver/rewriting/exchange.py +++ b/apps/jumpserver/rewriting/exchange.py @@ -1,28 +1,26 @@ import urllib3 - -from urllib3.exceptions import InsecureRequestWarning - +from django.conf import settings from django.core.mail.backends.base import BaseEmailBackend from django.core.mail.message import sanitize_address -from django.conf import settings from exchangelib import Account, Credentials, Configuration, DELEGATE -from exchangelib import Mailbox, Message, HTMLBody, FileAttachment from exchangelib import BaseProtocol, NoVerifyHTTPAdapter +from exchangelib import Mailbox, Message, HTMLBody, FileAttachment from exchangelib.errors import TransportError +from urllib3.exceptions import InsecureRequestWarning - -urllib3.disable_warnings(InsecureRequestWarning) -BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter +if not settings.VERIFY_EXTERNAL_SSL: + urllib3.disable_warnings(InsecureRequestWarning) + BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter class EmailBackend(BaseEmailBackend): def __init__( - self, - service_endpoint=None, - username=None, - password=None, - fail_silently=False, - **kwargs, + self, + service_endpoint=None, + username=None, + password=None, + fail_silently=False, + **kwargs, ): super().__init__(fail_silently=fail_silently) self.service_endpoint = service_endpoint or settings.EMAIL_HOST diff --git a/apps/jumpserver/settings/auth.py b/apps/jumpserver/settings/auth.py index 60d2aeab8..3d11811a1 100644 --- a/apps/jumpserver/settings/auth.py +++ b/apps/jumpserver/settings/auth.py @@ -20,8 +20,11 @@ AUTH_LDAP_SEARCH_FILTER = CONFIG.AUTH_LDAP_SEARCH_FILTER AUTH_LDAP_START_TLS = CONFIG.AUTH_LDAP_START_TLS AUTH_LDAP_USER_ATTR_MAP = CONFIG.AUTH_LDAP_USER_ATTR_MAP AUTH_LDAP_USER_QUERY_FIELD = 'username' +LDAP_TLS_REQUIRE_CERT = ( + ldap.OPT_X_TLS_DEMAND if CONFIG.VERIFY_EXTERNAL_SSL else ldap.OPT_X_TLS_NEVER +) AUTH_LDAP_GLOBAL_OPTIONS = { - ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER, + ldap.OPT_X_TLS_REQUIRE_CERT: LDAP_TLS_REQUIRE_CERT, ldap.OPT_REFERRALS: CONFIG.AUTH_LDAP_OPTIONS_OPT_REFERRALS } LDAP_CACERT_FILE = os.path.join(PROJECT_DIR, "data", "certs", "ldap_ca.pem") @@ -106,7 +109,7 @@ RADIUS_ATTRIBUTES = CONFIG.RADIUS_ATTRIBUTES # CAS Auth AUTH_CAS = CONFIG.AUTH_CAS CAS_SERVER_URL = CONFIG.CAS_SERVER_URL -CAS_VERIFY_SSL_CERTIFICATE = False +CAS_VERIFY_SSL_CERTIFICATE = CONFIG.VERIFY_EXTERNAL_SSL CAS_LOGIN_URL_NAME = "authentication:cas:cas-login" CAS_LOGOUT_URL_NAME = "authentication:cas:cas-logout" CAS_LOGIN_MSG = None diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py index ecf349620..d650a2015 100644 --- a/apps/jumpserver/settings/base.py +++ b/apps/jumpserver/settings/base.py @@ -348,6 +348,7 @@ FILE_UPLOAD_PERMISSIONS = 0o644 FILE_UPLOAD_DIRECTORY_PERMISSIONS = 0o755 X_FRAME_OPTIONS = CONFIG.X_FRAME_OPTIONS +VERIFY_EXTERNAL_SSL = CONFIG.VERIFY_EXTERNAL_SSL # Cache use redis REDIS_SSL_KEY = exist_or_default(os.path.join(CERTS_DIR, 'redis_client.key'), None)