diff --git a/apps/audits/signals_handler.py b/apps/audits/signals_handler.py index dab56fa5c..b95f6fbdf 100644 --- a/apps/audits/signals_handler.py +++ b/apps/audits/signals_handler.py @@ -136,8 +136,8 @@ def on_user_auth_success(sender, user, request, **kwargs): @receiver(post_auth_failed) -def on_user_auth_failed(sender, username, request, reason, **kwargs): +def on_user_auth_failed(sender, username, request, reason='', **kwargs): logger.debug('User login failed: {}'.format(username)) data = generate_data(username, request) - data.update({'reason': reason, 'status': False}) + data.update({'reason': reason[:128], 'status': False}) write_login_log(**data) diff --git a/apps/authentication/signals_handlers.py b/apps/authentication/signals_handlers.py index 645b202c2..461ddbb99 100644 --- a/apps/authentication/signals_handlers.py +++ b/apps/authentication/signals_handlers.py @@ -1,15 +1,15 @@ from django.dispatch import receiver -from jms_oidc_rp.signals import oidc_user_login_success, oidc_user_login_failed +from jms_oidc_rp.signals import openid_user_login_failed, openid_user_login_success from .signals import post_auth_success, post_auth_failed -@receiver(oidc_user_login_success) +@receiver(openid_user_login_success) def on_oidc_user_login_success(sender, request, user, **kwargs): post_auth_success.send(sender, user=user, request=request) -@receiver(oidc_user_login_failed) +@receiver(openid_user_login_failed) def on_oidc_user_login_failed(sender, username, request, reason, **kwargs): post_auth_failed.send(sender, username=username, request=request, reason=reason) diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py index 2c0b5bf5b..26a34fed2 100644 --- a/apps/jumpserver/conf.py +++ b/apps/jumpserver/conf.py @@ -184,15 +184,12 @@ class Config(dict): 'AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT': 'https://op-example.com/logout', 'AUTH_OPENID_PROVIDER_SIGNATURE_ALG': 'HS256', 'AUTH_OPENID_PROVIDER_SIGNATURE_KEY': None, - 'AUTH_OPENID_PROVIDER_CLAIMS_NAME': None, - 'AUTH_OPENID_PROVIDER_CLAIMS_USERNAME': None, - 'AUTH_OPENID_PROVIDER_CLAIMS_EMAIL': None, 'AUTH_OPENID_SCOPES': 'openid profile email', 'AUTH_OPENID_ID_TOKEN_MAX_AGE': 60, - 'AUTH_OPENID_ID_TOKEN_INCLUDE_USERINFO': True, + 'AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS': True, 'AUTH_OPENID_USE_STATE': True, 'AUTH_OPENID_USE_NONCE': True, - 'AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION': True, + 'AUTH_OPENID_ALWAYS_UPDATE_USER': True, # OpenID 旧配置参数 (version <= 1.5.8 (discarded)) 'BASE_SITE_URL': 'http://localhost:8080', 'AUTH_OPENID_SERVER_URL': 'http://openid', diff --git a/apps/jumpserver/settings/auth.py b/apps/jumpserver/settings/auth.py index 4bb431bd5..d25a4b7bc 100644 --- a/apps/jumpserver/settings/auth.py +++ b/apps/jumpserver/settings/auth.py @@ -58,17 +58,14 @@ AUTH_OPENID_PROVIDER_USERINFO_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_USERINFO_EN AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT AUTH_OPENID_PROVIDER_SIGNATURE_ALG = CONFIG.AUTH_OPENID_PROVIDER_SIGNATURE_ALG AUTH_OPENID_PROVIDER_SIGNATURE_KEY = CONFIG.AUTH_OPENID_PROVIDER_SIGNATURE_KEY -AUTH_OPENID_PROVIDER_CLAIMS_NAME = CONFIG.AUTH_OPENID_PROVIDER_CLAIMS_NAME -AUTH_OPENID_PROVIDER_CLAIMS_USERNAME = CONFIG.AUTH_OPENID_PROVIDER_CLAIMS_USERNAME -AUTH_OPENID_PROVIDER_CLAIMS_EMAIL = CONFIG.AUTH_OPENID_PROVIDER_CLAIMS_EMAIL AUTH_OPENID_SCOPES = CONFIG.AUTH_OPENID_SCOPES AUTH_OPENID_ID_TOKEN_MAX_AGE = CONFIG.AUTH_OPENID_ID_TOKEN_MAX_AGE -AUTH_OPENID_ID_TOKEN_INCLUDE_USERINFO = CONFIG.AUTH_OPENID_ID_TOKEN_INCLUDE_USERINFO +AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS = CONFIG.AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS AUTH_OPENID_SHARE_SESSION = CONFIG.AUTH_OPENID_SHARE_SESSION AUTH_OPENID_IGNORE_SSL_VERIFICATION = CONFIG.AUTH_OPENID_IGNORE_SSL_VERIFICATION AUTH_OPENID_USE_STATE = CONFIG.AUTH_OPENID_USE_STATE AUTH_OPENID_USE_NONCE = CONFIG.AUTH_OPENID_USE_NONCE -AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION = CONFIG.AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION +AUTH_OPENID_ALWAYS_UPDATE_USER = CONFIG.AUTH_OPENID_ALWAYS_UPDATE_USER AUTH_OPENID_AUTH_LOGIN_URL_NAME = 'authentication:oidc:login' AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME = 'authentication:oidc:login-callback' AUTH_OPENID_AUTH_LOGOUT_URL_NAME = 'authentication:oidc:logout' diff --git a/apps/users/signals_handler.py b/apps/users/signals_handler.py index 17e11af84..191249296 100644 --- a/apps/users/signals_handler.py +++ b/apps/users/signals_handler.py @@ -7,11 +7,9 @@ from django_auth_ldap.backend import populate_user from django.conf import settings from django_cas_ng.signals import cas_user_authenticated -from jms_oidc_rp.signals import oidc_user_created, oidc_user_updated -from jms_oidc_rp.backends import get_userinfo_from_claims +from jms_oidc_rp.signals import openid_user_create_or_update from common.utils import get_logger -from .utils import construct_user_email from .signals import post_user_create from .models import User @@ -55,19 +53,15 @@ def on_ldap_create_user(sender, user, ldap_user, **kwargs): user.save() -@receiver(oidc_user_created) -def on_oidc_user_created(sender, request, oidc_user, **kwargs): - oidc_user.user.source = User.SOURCE_OPENID - oidc_user.user.save() - - -@receiver(oidc_user_updated) -def on_oidc_user_updated(sender, request, oidc_user, **kwargs): - if not settings.AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION: +@receiver(openid_user_create_or_update) +def on_openid_user_create_or_update(sender, request, user, created, name, username, email): + if created: + user.source = User.SOURCE_OPENID + user.save() return - name, username, email = get_userinfo_from_claims(oidc_user.userinfo) - email = construct_user_email(username, email) - oidc_user.user.name = name - oidc_user.user.username = username - oidc_user.user.email = email - oidc_user.user.save() + + if not created and settings.AUTH_OPENID_ALWAYS_UPDATE_USER: + user.name = name + user.username = username + user.email = email + user.save()