[Update] Stash

apps/authentication/signals.py

@@ -2,3 +2,5 @@ from django.dispatch import Signal
 
 
 post_create_openid_user = Signal(providing_args=('user',))
+post_auth_success = Signal(providing_args=('user', 'request'))
+post_auth_failed = Signal(providing_args=('username', 'request', 'reason'))

apps/authentication/signals_handlers.py

@@ -2,9 +2,15 @@ from django.http.request import QueryDict
 from django.conf import settings
 from django.dispatch import receiver
 from django.contrib.auth.signals import user_logged_out
+from django.utils import timezone
 from django_auth_ldap.backend import populate_user
+
+from common.utils import get_request_ip
 from .openid import client
-from .signals import post_create_openid_user
+from .tasks import write_login_log_async
+from .signals import (
+    post_create_openid_user, post_auth_success, post_auth_failed
+)
 
 
 @receiver(user_logged_out)
@@ -38,3 +44,36 @@ def on_ldap_create_user(sender, user, ldap_user, **kwargs):
     if user and user.name != 'admin':
         user.source = user.SOURCE_LDAP
         user.save()
+
+
+def generate_data(username, request):
+    if not request.user.is_anonymous and request.user.is_app:
+        login_ip = request.data.get('remote_addr', None)
+        login_type = request.data.get('login_type', '')
+        user_agent = request.data.get('HTTP_USER_AGENT', '')
+    else:
+        login_ip = get_request_ip(request)
+        user_agent = request.META.get('HTTP_USER_AGENT', '')
+        login_type = 'W'
+    data = {
+        'username': username,
+        'ip': login_ip,
+        'type': login_type,
+        'user_agent': user_agent,
+        'datetime': timezone.now()
+    }
+    return data
+
+
+@receiver(post_auth_success)
+def on_user_auth_success(sender, user, request, **kwargs):
+    data = generate_data(user.username, request)
+    data.update({'mfa': int(user.otp_enabled), 'status': True})
+    write_login_log_async.delay(**data)
+
+
+@receiver(post_auth_failed)
+def on_user_auth_failed(sender, username, request, reason, **kwargs):
+    data = generate_data(username, request)
+    data.update({'reason': reason, 'status': False})
+    write_login_log_async.delay(**data)

apps/authentication/tasks.py

@@ -0,0 +1,11 @@
+# -*- coding: utf-8 -*-
+#
+
+from celery import shared_task
+
+from .utils import write_login_log
+
+
+@shared_task
+def write_login_log_async(*args, **kwargs):
+    write_login_log(*args, **kwargs)

apps/authentication/urls/view_urls.py

@@ -2,15 +2,13 @@
 #
 
 from django.urls import path
-from authentication.openid import views
+from .. import views
 
 app_name = 'authentication'
 
 urlpatterns = [
     # openid
-    path('openid/login/', views.LoginView.as_view(), name='openid-login'),
-    path('openid/login/complete/', views.LoginCompleteView.as_view(),
+    path('openid/login/', views.OpenIDLoginView.as_view(), name='openid-login'),
+    path('openid/login/complete/', views.OpenIDLoginCompleteView.as_view(),
          name='openid-login-complete'),
-
-    # other
 ]

apps/authentication/utils.py

@@ -0,0 +1,18 @@
+# -*- coding: utf-8 -*-
+#
+from django.utils.translation import ugettext as _
+from common.utils import get_ip_city, validate_ip
+
+
+def write_login_log(*args, **kwargs):
+    from users.models import LoginLog
+    default_city = _("Unknown")
+    ip = kwargs.get('ip', '')
+    if not (ip and validate_ip(ip)):
+        ip = ip[:15]
+        city = default_city
+    else:
+        city = get_ip_city(ip) or default_city
+    kwargs.update({'ip': ip, 'city': city})
+    LoginLog.objects.create(**kwargs)
+

apps/authentication/views.py

@@ -1 +0,0 @@
-

apps/authentication/views/__init__.py

@@ -0,0 +1,4 @@
+# -*- coding: utf-8 -*-
+#
+
+from .openid import *

apps/authentication/views/login.py

@@ -0,0 +1,212 @@
+# ~*~ coding: utf-8 ~*~
+
+from __future__ import unicode_literals
+import os
+from django.core.cache import cache
+from django.shortcuts import render
+from django.utils import timezone
+from django.contrib.auth import login as auth_login, logout as auth_logout
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.views.generic import ListView
+from django.core.files.storage import default_storage
+from django.http import HttpResponseRedirect, HttpResponse
+from django.shortcuts import reverse, redirect
+from django.utils.decorators import method_decorator
+from django.utils.translation import ugettext as _
+from django.views.decorators.cache import never_cache
+from django.views.decorators.csrf import csrf_protect
+from django.views.decorators.debug import sensitive_post_parameters
+from django.views.generic.base import TemplateView
+from django.views.generic.edit import FormView
+from django.conf import settings
+from formtools.wizard.views import SessionWizardView
+
+from common.utils import get_object_or_none, get_request_ip
+from authentication.signals import post_auth_success, post_auth_failed
+from users.models import User, LoginLog
+from users.utils import send_reset_password_mail, check_otp_code, \
+    redirect_user_first_login_or_index, get_user_or_tmp_user, \
+    set_tmp_user_to_cache, get_password_check_rules, check_password_rules, \
+    is_block_login, increase_login_failed_count, clean_failed_count
+from users import forms
+
+
+__all__ = [
+    'UserLoginView', 'UserLoginOtpView', 'UserLogoutView',
+    'UserForgotPasswordView', 'UserForgotPasswordSendmailSuccessView',
+    'UserResetPasswordView', 'UserResetPasswordSuccessView',
+    'UserFirstLoginView', 'LoginLogListView'
+]
+
+
+@method_decorator(sensitive_post_parameters(), name='dispatch')
+@method_decorator(csrf_protect, name='dispatch')
+@method_decorator(never_cache, name='dispatch')
+class UserLoginView(FormView):
+    form_class = forms.UserLoginForm
+    form_class_captcha = forms.UserLoginCaptchaForm
+    redirect_field_name = 'next'
+    key_prefix_captcha = "_LOGIN_INVALID_{}"
+
+    def get_template_names(self):
+        template_name = 'users/login.html'
+        if not settings.XPACK_ENABLED:
+            return template_name
+
+        from xpack.plugins.license.models import License
+        if not License.has_valid_license():
+            return template_name
+
+        template_name = 'users/new_login.html'
+        return template_name
+
+    def get(self, request, *args, **kwargs):
+        if request.user.is_staff:
+            return redirect(redirect_user_first_login_or_index(
+                request, self.redirect_field_name)
+            )
+        request.session.set_test_cookie()
+        return super().get(request, *args, **kwargs)
+
+    def post(self, request, *args, **kwargs):
+        # limit login authentication
+        ip = get_request_ip(request)
+        username = self.request.POST.get('username')
+        if is_block_login(username, ip):
+            return self.render_to_response(self.get_context_data(block_login=True))
+        return super().post(request, *args, **kwargs)
+
+    def form_valid(self, form):
+        if not self.request.session.test_cookie_worked():
+            return HttpResponse(_("Please enable cookies and try again."))
+        user = form.get_user()
+        # user password expired
+        if user.password_has_expired:
+            reason = LoginLog.REASON_PASSWORD_EXPIRED
+            self.send_auth_signal(success=False, username=user.username, reason=reason)
+            return self.render_to_response(self.get_context_data(password_expired=True))
+
+        set_tmp_user_to_cache(self.request, user)
+        username = form.cleaned_data.get('username')
+        ip = get_request_ip(self.request)
+        # 登陆成功，清除缓存计数
+        clean_failed_count(username, ip)
+        return redirect(self.get_success_url())
+
+    def form_invalid(self, form):
+        # write login failed log
+        username = form.cleaned_data.get('username')
+        exist = User.objects.filter(username=username).first()
+        reason = LoginLog.REASON_PASSWORD if exist else LoginLog.REASON_NOT_EXIST
+        # limit user login failed count
+        ip = get_request_ip(self.request)
+        increase_login_failed_count(username, ip)
+        # show captcha
+        cache.set(self.key_prefix_captcha.format(ip), 1, 3600)
+        self.send_auth_signal(success=False, username=username, reason=reason)
+
+        old_form = form
+        form = self.form_class_captcha(data=form.data)
+        form._errors = old_form.errors
+        return super().form_invalid(form)
+
+    def get_form_class(self):
+        ip = get_request_ip(self.request)
+        if cache.get(self.key_prefix_captcha.format(ip)):
+            return self.form_class_captcha
+        else:
+            return self.form_class
+
+    def get_success_url(self):
+        user = get_user_or_tmp_user(self.request)
+
+        if user.otp_enabled and user.otp_secret_key:
+            # 1,2,mfa_setting & T
+            return reverse('users:login-otp')
+        elif user.otp_enabled and not user.otp_secret_key:
+            # 1,2,mfa_setting & F
+            return reverse('users:user-otp-enable-authentication')
+        elif not user.otp_enabled:
+            # 0 & T,F
+            auth_login(self.request, user)
+            self.send_auth_signal(success=True, user=user)
+            return redirect_user_first_login_or_index(self.request, self.redirect_field_name)
+
+    def get_context_data(self, **kwargs):
+        context = {
+            'demo_mode': os.environ.get("DEMO_MODE"),
+            'AUTH_OPENID': settings.AUTH_OPENID,
+        }
+        kwargs.update(context)
+        return super().get_context_data(**kwargs)
+
+    def send_auth_signal(self, success=True, user=None, username='', reason=''):
+        if success:
+            post_auth_success.send(sender=self.__class__, user=user, request=self.request)
+        else:
+            post_auth_failed.send(
+                sender=self.__class__, username=username,
+                request=self.request, reason=reason
+            )
+
+
+class UserLoginOtpView(FormView):
+    template_name = 'users/login_otp.html'
+    form_class = forms.UserCheckOtpCodeForm
+    redirect_field_name = 'next'
+
+    def form_valid(self, form):
+        user = get_user_or_tmp_user(self.request)
+        otp_code = form.cleaned_data.get('otp_code')
+        otp_secret_key = user.otp_secret_key
+
+        if check_otp_code(otp_secret_key, otp_code):
+            auth_login(self.request, user)
+            self.send_auth_signal(success=True, user=user)
+            return redirect(self.get_success_url())
+        else:
+            self.send_auth_signal(
+                success=False, username=user.username,
+                reason=LoginLog.REASON_MFA
+            )
+            form.add_error('otp_code', _('MFA code invalid, or ntp sync server time'))
+            return super().form_invalid(form)
+
+    def get_success_url(self):
+        return redirect_user_first_login_or_index(self.request, self.redirect_field_name)
+
+    def send_auth_signal(self, success=True, user=None, username='', reason=''):
+        if success:
+            post_auth_success.send(sender=self.__class__, user=user, request=self.request)
+        else:
+            post_auth_failed.send(
+                sender=self.__class__, username=username,
+                request=self.request, reason=reason
+            )
+
+
+@method_decorator(never_cache, name='dispatch')
+class UserLogoutView(TemplateView):
+    template_name = 'flash_message_standalone.html'
+
+    def get(self, request, *args, **kwargs):
+        auth_logout(request)
+        next_uri = request.COOKIES.get("next")
+        if next_uri:
+            return redirect(next_uri)
+        response = super().get(request, *args, **kwargs)
+        return response
+
+    def get_context_data(self, **kwargs):
+        context = {
+            'title': _('Logout success'),
+            'messages': _('Logout success, return login page'),
+            'interval': 1,
+            'redirect_url': reverse('users:login'),
+            'auto_redirect': True,
+        }
+        kwargs.update(context)
+        return super().get_context_data(**kwargs)
+
+
+

apps/authentication/views/openid.py

@@ -14,43 +14,36 @@ from django.http.response import (
     HttpResponseRedirect
 )
 
-from . import client
-from .models import Nonce
-from users.models import LoginLog
-from users.tasks import write_login_log_async
-from common.utils import get_request_ip
+from ..openid import client
+from ..openid.models import Nonce
+from ..signals import post_auth_success
 
 logger = logging.getLogger(__name__)
 
 
-def get_base_site_url():
-    return settings.BASE_SITE_URL
+__all__ = ['OpenIDLoginView', 'OpenIDLoginCompleteView']
 
 
-class LoginView(RedirectView):
+class OpenIDLoginView(RedirectView):
 
     def get_redirect_url(self, *args, **kwargs):
+        redirect_uri = settings.BASE_SITE_URL + \
+                       reverse("authentication:openid-login-complete")
         nonce = Nonce(
-            redirect_uri=get_base_site_url() + reverse(
-                "authentication:openid-login-complete"),
-
+            redirect_uri=redirect_uri,
             next_path=self.request.GET.get('next')
         )
-
         cache.set(str(nonce.state), nonce, 24*3600)
-
         self.request.session['openid_state'] = str(nonce.state)
-
         authorization_url = client.openid_connect_client.\
             authorization_url(
                 redirect_uri=nonce.redirect_uri, scope='code',
                 state=str(nonce.state)
             )
-
         return authorization_url
 
 
-class LoginCompleteView(RedirectView):
+class OpenIDLoginCompleteView(RedirectView):
 
     def get(self, request, *args, **kwargs):
         if 'error' in request.GET:
@@ -79,24 +72,6 @@ class LoginCompleteView(RedirectView):
             return HttpResponseBadRequest()
 
         login(self.request, user)
-
-        data = {
-            'username': user.username,
-            'mfa': int(user.otp_enabled),
-            'reason': LoginLog.REASON_NOTHING,
-            'status': True
-        }
-        self.write_login_log(data)
-
+        post_auth_success.send(sender=self.__class__, user=user, request=self.request)
         return HttpResponseRedirect(nonce.next_path or '/')
 
-    def write_login_log(self, data):
-        login_ip = get_request_ip(self.request)
-        user_agent = self.request.META.get('HTTP_USER_AGENT', '')
-        tmp_data = {
-            'ip': login_ip,
-            'type': 'W',
-            'user_agent': user_agent
-        }
-        data.update(tmp_data)
-        write_login_log_async.delay(**data)