fix: Add additional third-party authentication backends and adjust MFA check

apps/authentication/mixins.py

@@ -20,6 +20,7 @@ from django.utils.translation import gettext as _
 from rest_framework.request import Request
 
 from acls.models import LoginACL
+from apps.jumpserver.settings.auth import AUTHENTICATION_BACKENDS_THIRD_PARTY
 from common.utils import get_request_ip_or_data, get_request_ip, get_logger, bulk_get, FlashMessageUtil
 from users.models import User
 from users.utils import LoginBlockUtil, MFABlockUtils, LoginIpBlockUtil
@@ -227,6 +228,9 @@ class MFAMixin:
         self._do_check_user_mfa(code, mfa_type, user=user)
 
     def check_user_mfa_if_need(self, user):
+        if not settings.SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY and \
+                self.request.session.get('auth_backend') in AUTHENTICATION_BACKENDS_THIRD_PARTY:
+            return
         if self.request.session.get('auth_mfa') and \
                 self.request.session.get('auth_mfa_username') == user.username:
             return

apps/jumpserver/settings/auth.py

@@ -348,7 +348,8 @@ SMS_CUSTOM_FILE_PATH = os.path.join(PROJECT_DIR, 'data', 'sms', 'main.py')
 
 AUTHENTICATION_BACKENDS_THIRD_PARTY = [
     AUTH_BACKEND_OIDC_CODE, AUTH_BACKEND_CAS,
-    AUTH_BACKEND_SAML2, AUTH_BACKEND_OAUTH2
+    AUTH_BACKEND_SAML2, AUTH_BACKEND_OAUTH2, AUTH_BACKEND_WECOM, AUTH_BACKEND_DINGTALK, AUTH_BACKEND_FEISHU,
+    AUTH_BACKEND_LARK, AUTH_BACKEND_SLACK,
 ]
 ONLY_ALLOW_EXIST_USER_AUTH = CONFIG.ONLY_ALLOW_EXIST_USER_AUTH
 ONLY_ALLOW_AUTH_FROM_SOURCE = CONFIG.ONLY_ALLOW_AUTH_FROM_SOURCE

apps/settings/serializers/security.py

@@ -2,6 +2,8 @@ from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
 from acls.serializers.rules import ip_group_help_text, ip_group_child_validator
+from apps.jumpserver.settings.auth import AUTHENTICATION_BACKENDS_THIRD_PARTY
+from users.models.user import SourceMixin
 
 __all__ = [
     'SecurityPasswordRuleSerializer', 'SecuritySessionSerializer',
@@ -118,6 +120,9 @@ class SecurityLoginLimitSerializer(serializers.Serializer):
 
 
 class SecurityAuthSerializer(serializers.Serializer):
+    help_text_third_party_mfa = _('The third-party login modes include ') + ', '.join(
+        SourceMixin().backends_source_mapper.get(backend) for backend in AUTHENTICATION_BACKENDS_THIRD_PARTY
+    )
     SECURITY_MFA_AUTH = serializers.ChoiceField(
         choices=(
             [0, _('Not enabled')],
@@ -129,7 +134,7 @@ class SecurityAuthSerializer(serializers.Serializer):
     SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY = serializers.BooleanField(
         required=False, default=True,
         label=_('Third-party login MFA'),
-        help_text=_('The third-party login modes include OIDC, CAS, and SAML2'),
+        help_text=help_text_third_party_mfa
     )
     SECURITY_MFA_BY_EMAIL = serializers.BooleanField(
         required=False, default=False,

apps/users/models/user/_source.py

@@ -107,3 +107,7 @@ class SourceMixin:
         if not settings.ONLY_ALLOW_AUTH_FROM_SOURCE:
             return None
         return self.SOURCE_BACKEND_MAPPING.get(self.source, [])
+
+    @property
+    def backends_source_mapper(self):
+        return {backend: source for source, backends in self.SOURCE_BACKEND_MAPPING.items() for backend in backends}