feat: 认证方式支持OAuth2.0协议 (#8686)

* feat: 认证方式支持OAuth2.0协议

* perf: 优化 OAuth2 认证逻辑和Logo (对接 Github)

* perf: 优化 OAuth2 认证逻辑和Logo，支持上传图标

* perf: 优化 OAuth2 认证逻辑和Logo，支持上传图标

* perf: 优化 OAuth2 认证逻辑和Logo，支持上传图标

* perf: 优化 OAuth2 认证逻辑和Logo，支持上传图标

Co-authored-by: Jiangjie.Bai <bugatti_it@163.com>

apps/authentication/backends/oauth2/__init__.py

@@ -0,0 +1,4 @@
+# -*- coding: utf-8 -*-
+#
+
+from .backends import *

apps/authentication/backends/oauth2/backends.py

@@ -0,0 +1,157 @@
+# -*- coding: utf-8 -*-
+#
+import requests
+
+from django.contrib.auth import get_user_model
+from django.utils.http import urlencode
+from django.conf import settings
+from django.urls import reverse
+
+from common.utils import get_logger
+from users.utils import construct_user_email
+from authentication.utils import build_absolute_uri
+from common.exceptions import JMSException
+
+from .signals import (
+    oauth2_create_or_update_user, oauth2_user_login_failed,
+    oauth2_user_login_success
+)
+from ..base import JMSModelBackend
+
+
+__all__ = ['OAuth2Backend']
+
+logger = get_logger(__name__)
+
+
+class OAuth2Backend(JMSModelBackend):
+    @staticmethod
+    def is_enabled():
+        return settings.AUTH_OAUTH2
+
+    def get_or_create_user_from_userinfo(self, request, userinfo):
+        log_prompt = "Get or Create user [OAuth2Backend]: {}"
+        logger.debug(log_prompt.format('start'))
+
+        # Construct user attrs value
+        user_attrs = {}
+        for field, attr in settings.AUTH_OAUTH2_USER_ATTR_MAP.items():
+            user_attrs[field] = userinfo.get(attr, '')
+
+        username = user_attrs.get('username')
+        if not username:
+            error_msg = 'username is missing'
+            logger.error(log_prompt.format(error_msg))
+            raise JMSException(error_msg)
+
+        email = user_attrs.get('email', '')
+        email = construct_user_email(user_attrs.get('username'), email)
+        user_attrs.update({'email': email})
+
+        logger.debug(log_prompt.format(user_attrs))
+        user, created = get_user_model().objects.get_or_create(
+            username=username, defaults=user_attrs
+        )
+        logger.debug(log_prompt.format("user: {}|created: {}".format(user, created)))
+        logger.debug(log_prompt.format("Send signal => oauth2 create or update user"))
+        oauth2_create_or_update_user.send(
+            sender=self.__class__, request=request, user=user, created=created,
+            attrs=user_attrs
+        )
+        return user, created
+
+    @staticmethod
+    def get_response_data(response_data):
+        if response_data.get('data') is not None:
+            response_data = response_data['data']
+        return response_data
+
+    @staticmethod
+    def get_query_dict(response_data, query_dict):
+        query_dict.update({
+            'uid': response_data.get('uid', ''),
+            'access_token': response_data.get('access_token', '')
+        })
+        return query_dict
+
+    def authenticate(self, request, code=None, **kwargs):
+        log_prompt = "Process authenticate [OAuth2Backend]: {}"
+        logger.debug(log_prompt.format('Start'))
+        if code is None:
+            logger.error(log_prompt.format('code is missing'))
+            return None
+
+        query_dict = {
+            'client_id': settings.AUTH_OAUTH2_CLIENT_ID,
+            'client_secret': settings.AUTH_OAUTH2_CLIENT_SECRET,
+            'grant_type': 'authorization_code',
+            'code': code,
+            'redirect_uri': build_absolute_uri(
+                request, path=reverse(settings.AUTH_OAUTH2_AUTH_LOGIN_CALLBACK_URL_NAME)
+            )
+        }
+        access_token_url = '{url}?{query}'.format(
+            url=settings.AUTH_OAUTH2_ACCESS_TOKEN_ENDPOINT, query=urlencode(query_dict)
+        )
+        token_method = settings.AUTH_OAUTH2_ACCESS_TOKEN_METHOD.lower()
+        requests_func = getattr(requests, token_method, requests.get)
+        logger.debug(log_prompt.format('Call the access token endpoint[method: %s]' % token_method))
+        headers = {
+            'Accept': 'application/json'
+        }
+        access_token_response = requests_func(access_token_url, headers=headers)
+        try:
+            access_token_response.raise_for_status()
+            access_token_response_data = access_token_response.json()
+            response_data = self.get_response_data(access_token_response_data)
+        except Exception as e:
+            error = "Json access token response error, access token response " \
+                    "content is: {}, error is: {}".format(access_token_response.content, str(e))
+            logger.error(log_prompt.format(error))
+            return None
+
+        query_dict = self.get_query_dict(response_data, query_dict)
+
+        headers = {
+            'Accept': 'application/json',
+            'Authorization': 'token {}'.format(response_data.get('access_token', ''))
+        }
+
+        logger.debug(log_prompt.format('Get userinfo endpoint'))
+        userinfo_url = '{url}?{query}'.format(
+            url=settings.AUTH_OAUTH2_PROVIDER_USERINFO_ENDPOINT,
+            query=urlencode(query_dict)
+        )
+        userinfo_response = requests.get(userinfo_url, headers=headers)
+        try:
+            userinfo_response.raise_for_status()
+            userinfo_response_data = userinfo_response.json()
+            if 'data' in userinfo_response_data:
+                userinfo = userinfo_response_data['data']
+            else:
+                userinfo = userinfo_response_data
+        except Exception as e:
+            error = "Json userinfo response error, userinfo response " \
+                    "content is: {}, error is: {}".format(userinfo_response.content, str(e))
+            logger.error(log_prompt.format(error))
+            return None
+
+        try:
+            logger.debug(log_prompt.format('Update or create oauth2 user'))
+            user, created = self.get_or_create_user_from_userinfo(request, userinfo)
+        except JMSException:
+            return None
+
+        if self.user_can_authenticate(user):
+            logger.debug(log_prompt.format('OAuth2 user login success'))
+            logger.debug(log_prompt.format('Send signal => oauth2 user login success'))
+            oauth2_user_login_success.send(sender=self.__class__, request=request, user=user)
+            return user
+        else:
+            logger.debug(log_prompt.format('OAuth2 user login failed'))
+            logger.debug(log_prompt.format('Send signal => oauth2 user login failed'))
+            oauth2_user_login_failed.send(
+                sender=self.__class__, request=request, username=user.username,
+                reason=_('User invalid, disabled or expired')
+            )
+            return None

apps/authentication/backends/oauth2/signals.py

@@ -0,0 +1,9 @@
+from django.dispatch import Signal
+
+
+oauth2_create_or_update_user = Signal(
+    providing_args=['request', 'user', 'created', 'name', 'username', 'email']
+)
+oauth2_user_login_success = Signal(providing_args=['request', 'user'])
+oauth2_user_login_failed = Signal(providing_args=['request', 'username', 'reason'])
+

apps/authentication/backends/oauth2/urls.py

@@ -0,0 +1,11 @@
+# -*- coding: utf-8 -*-
+#
+from django.urls import path
+
+from . import views
+
+
+urlpatterns = [
+    path('login/', views.OAuth2AuthRequestView.as_view(), name='login'),
+    path('callback/', views.OAuth2AuthCallbackView.as_view(), name='login-callback')
+]

apps/authentication/backends/oauth2/views.py

@@ -0,0 +1,56 @@
+from django.views import View
+from django.conf import settings
+from django.contrib.auth import login
+from django.http import HttpResponseRedirect
+from django.urls import reverse
+from django.utils.http import urlencode
+
+from authentication.utils import build_absolute_uri
+from common.utils import get_logger
+from authentication.mixins import authenticate
+
+logger = get_logger(__file__)
+
+
+class OAuth2AuthRequestView(View):
+
+    def get(self, request):
+        log_prompt = "Process OAuth2 GET requests: {}"
+        logger.debug(log_prompt.format('Start'))
+
+        base_url = settings.AUTH_OAUTH2_PROVIDER_AUTHORIZATION_ENDPOINT
+        query_dict = {
+            'client_id': settings.AUTH_OAUTH2_CLIENT_ID, 'response_type': 'code',
+            'scope': settings.AUTH_OAUTH2_SCOPE,
+            'redirect_uri': build_absolute_uri(
+                request, path=reverse(settings.AUTH_OAUTH2_AUTH_LOGIN_CALLBACK_URL_NAME)
+            )
+        }
+
+        redirect_url = '{url}?{query}'.format(url=base_url, query=urlencode(query_dict))
+        logger.debug(log_prompt.format('Redirect login url'))
+        return HttpResponseRedirect(redirect_url)
+
+
+class OAuth2AuthCallbackView(View):
+    http_method_names = ['get', ]
+
+    def get(self, request):
+        """ Processes GET requests. """
+        log_prompt = "Process GET requests [OAuth2AuthCallbackView]: {}"
+        logger.debug(log_prompt.format('Start'))
+        callback_params = request.GET
+
+        if 'code' in callback_params:
+            logger.debug(log_prompt.format('Process authenticate'))
+            user = authenticate(code=callback_params['code'], request=request)
+            if user and user.is_valid:
+                logger.debug(log_prompt.format('Login: {}'.format(user)))
+                login(self.request, user)
+                logger.debug(log_prompt.format('Redirect'))
+                return HttpResponseRedirect(
+                    settings.AUTH_OAUTH2_AUTHENTICATION_REDIRECT_URI
+                )
+
+        logger.debug(log_prompt.format('Redirect'))
+        return HttpResponseRedirect(settings.AUTH_OAUTH2_AUTHENTICATION_FAILURE_REDIRECT_URI)

apps/authentication/backends/oidc/backends.py

@@ -9,6 +9,7 @@
 
 import base64
 import requests
+
 from rest_framework.exceptions import ParseError
 from django.contrib.auth import get_user_model
 from django.contrib.auth.backends import ModelBackend
@@ -18,10 +19,11 @@ from django.urls import reverse
 from django.conf import settings
 
 from common.utils import get_logger
+from authentication.utils import build_absolute_uri_for_oidc
 from users.utils import construct_user_email
 
 from ..base import JMSBaseAuthBackend
-from .utils import validate_and_return_id_token, build_absolute_uri
+from .utils import validate_and_return_id_token
 from .decorator import ssl_verification
 from .signals import (
     openid_create_or_update_user, openid_user_login_failed, openid_user_login_success
@@ -127,7 +129,7 @@ class OIDCAuthCodeBackend(OIDCBaseBackend):
         token_payload = {
             'grant_type': 'authorization_code',
             'code': code,
-            'redirect_uri': build_absolute_uri(
+            'redirect_uri': build_absolute_uri_for_oidc(
                 request, path=reverse(settings.AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME)
             )
         }

apps/authentication/backends/oidc/utils.py

@@ -8,7 +8,7 @@
 
 import datetime as dt
 from calendar import timegm
-from urllib.parse import urlparse, urljoin
+from urllib.parse import urlparse
 
 from django.core.exceptions import SuspiciousOperation
 from django.utils.encoding import force_bytes, smart_bytes
@@ -110,17 +110,3 @@ def _validate_claims(id_token, nonce=None, validate_nonce=True):
         raise SuspiciousOperation('Incorrect id_token: nonce')
 
     logger.debug(log_prompt.format('End'))
-
-
-def build_absolute_uri(request, path=None):
-    """
-    Build absolute redirect uri
-    """
-    if path is None:
-        path = '/'
-
-    if settings.BASE_SITE_URL:
-        redirect_uri = urljoin(settings.BASE_SITE_URL, path)
-    else:
-        redirect_uri = request.build_absolute_uri(path)
-    return redirect_uri

apps/authentication/backends/oidc/views.py

@@ -20,7 +20,8 @@ from django.utils.crypto import get_random_string
 from django.utils.http import is_safe_url, urlencode
 from django.views.generic import View
 
-from .utils import get_logger, build_absolute_uri
+from authentication.utils import build_absolute_uri_for_oidc
+from .utils import get_logger
 
 
 logger = get_logger(__file__)
@@ -50,7 +51,7 @@ class OIDCAuthRequestView(View):
             'scope': settings.AUTH_OPENID_SCOPES,
             'response_type': 'code',
             'client_id': settings.AUTH_OPENID_CLIENT_ID,
-            'redirect_uri': build_absolute_uri(
+            'redirect_uri': build_absolute_uri_for_oidc(
                 request, path=reverse(settings.AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME)
             )
         })
@@ -216,7 +217,7 @@ class OIDCEndSessionView(View):
         """ Returns the end-session URL. """
         q = QueryDict(mutable=True)
         q[settings.AUTH_OPENID_PROVIDER_END_SESSION_REDIRECT_URI_PARAMETER] = \
-            build_absolute_uri(self.request, path=settings.LOGOUT_REDIRECT_URL or '/')
+            build_absolute_uri_for_oidc(self.request, path=settings.LOGOUT_REDIRECT_URL or '/')
         q[settings.AUTH_OPENID_PROVIDER_END_SESSION_ID_TOKEN_PARAMETER] = \
             self.request.session['oidc_auth_id_token']
         return '{}?{}'.format(settings.AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT, q.urlencode())

apps/authentication/backends/saml2/backends.py

@@ -39,7 +39,7 @@ class SAML2Backend(JMSModelBackend):
         return user, created
 
     def authenticate(self, request, saml_user_data=None, **kwargs):
-        log_prompt = "Process authenticate [SAML2AuthCodeBackend]: {}"
+        log_prompt = "Process authenticate [SAML2Backend]: {}"
         logger.debug(log_prompt.format('Start'))
         if saml_user_data is None:
             logger.error(log_prompt.format('saml_user_data is missing'))
@@ -48,7 +48,7 @@ class SAML2Backend(JMSModelBackend):
         logger.debug(log_prompt.format('saml data, {}'.format(saml_user_data)))
         username = saml_user_data.get('username')
         if not username:
-            logger.debug(log_prompt.format('username is missing'))
+            logger.warning(log_prompt.format('username is missing'))
             return None
 
         user, created = self.get_or_create_from_saml_data(request, **saml_user_data)