fix: Add additional third-party authentication backends and adjust MFA check

2025-07-16 07:56:21 +00:00 · 2025-07-01 16:33:49 +08:00 · 2025-07-01 16:33:49 +08:00 · 1790cd8345
commit 1790cd8345
parent 7da74dc6e8
4 changed files with 16 additions and 2 deletions
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@ -20,6 +20,7 @@ from django.utils.translation import gettext as _
 from rest_framework.request import Request

 from acls.models import LoginACL
+from apps.jumpserver.settings.auth import AUTHENTICATION_BACKENDS_THIRD_PARTY
 from common.utils import get_request_ip_or_data, get_request_ip, get_logger, bulk_get, FlashMessageUtil
 from users.models import User
 from users.utils import LoginBlockUtil, MFABlockUtils, LoginIpBlockUtil
@ -227,6 +228,9 @@ class MFAMixin:
        self._do_check_user_mfa(code, mfa_type, user=user)

    def check_user_mfa_if_need(self, user):
+        if not settings.SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY and \
+                self.request.session.get('auth_backend') in AUTHENTICATION_BACKENDS_THIRD_PARTY:
+            return
        if self.request.session.get('auth_mfa') and \
                self.request.session.get('auth_mfa_username') == user.username:
            return
--- a/apps/jumpserver/settings/auth.py
+++ b/apps/jumpserver/settings/auth.py
@ -348,7 +348,8 @@ SMS_CUSTOM_FILE_PATH = os.path.join(PROJECT_DIR, 'data', 'sms', 'main.py')

 AUTHENTICATION_BACKENDS_THIRD_PARTY = [
    AUTH_BACKEND_OIDC_CODE, AUTH_BACKEND_CAS,
-    AUTH_BACKEND_SAML2, AUTH_BACKEND_OAUTH2
+    AUTH_BACKEND_SAML2, AUTH_BACKEND_OAUTH2, AUTH_BACKEND_WECOM, AUTH_BACKEND_DINGTALK, AUTH_BACKEND_FEISHU,
+    AUTH_BACKEND_LARK, AUTH_BACKEND_SLACK,
 ]
 ONLY_ALLOW_EXIST_USER_AUTH = CONFIG.ONLY_ALLOW_EXIST_USER_AUTH
 ONLY_ALLOW_AUTH_FROM_SOURCE = CONFIG.ONLY_ALLOW_AUTH_FROM_SOURCE
--- a/apps/settings/serializers/security.py
+++ b/apps/settings/serializers/security.py
@ -2,6 +2,8 @@ from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers

 from acls.serializers.rules import ip_group_help_text, ip_group_child_validator
+from apps.jumpserver.settings.auth import AUTHENTICATION_BACKENDS_THIRD_PARTY
+from users.models.user import SourceMixin

 __all__ = [
    'SecurityPasswordRuleSerializer', 'SecuritySessionSerializer',
@ -118,6 +120,9 @@ class SecurityLoginLimitSerializer(serializers.Serializer):


 class SecurityAuthSerializer(serializers.Serializer):
+    help_text_third_party_mfa = _('The third-party login modes include ') + ', '.join(
+        SourceMixin().backends_source_mapper.get(backend) for backend in AUTHENTICATION_BACKENDS_THIRD_PARTY
+    )
    SECURITY_MFA_AUTH = serializers.ChoiceField(
        choices=(
            [0, _('Not enabled')],
@ -129,7 +134,7 @@ class SecurityAuthSerializer(serializers.Serializer):
    SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY = serializers.BooleanField(
        required=False, default=True,
        label=_('Third-party login MFA'),
-        help_text=_('The third-party login modes include OIDC, CAS, and SAML2'),
+        help_text=help_text_third_party_mfa
    )
    SECURITY_MFA_BY_EMAIL = serializers.BooleanField(
        required=False, default=False,
--- a/apps/users/models/user/_source.py
+++ b/apps/users/models/user/_source.py
@ -107,3 +107,7 @@ class SourceMixin:
        if not settings.ONLY_ALLOW_AUTH_FROM_SOURCE:
            return None
        return self.SOURCE_BACKEND_MAPPING.get(self.source, [])
+
+    @property
+    def backends_source_mapper(self):
+        return {backend: source for source, backends in self.SOURCE_BACKEND_MAPPING.items() for backend in backends}