fix: replace CharField with EncryptedField for LDAP certificate fields (#17054)

Co-authored-by: wangruidong <940853815@qq.com>
This commit is contained in:
fit2bot
2026-07-16 15:32:14 +08:00
committed by GitHub
parent 6032b0df2f
commit 26e3785af9
4 changed files with 18 additions and 14 deletions

View File

@@ -20,9 +20,9 @@ class LDAPTestConfigSerializer(serializers.Serializer):
AUTH_LDAP_SEARCH_FILTER = serializers.CharField()
AUTH_LDAP_USER_ATTR_MAP = serializers.JSONField()
AUTH_LDAP_START_TLS = serializers.BooleanField(required=False)
AUTH_LDAP_CACERT_CONTENT = serializers.CharField(required=False, allow_blank=True)
AUTH_LDAP_CERT_CONTENT = serializers.CharField(required=False, allow_blank=True)
AUTH_LDAP_KEY_CONTENT = serializers.CharField(required=False, allow_blank=True)
AUTH_LDAP_CACERT_CONTENT = EncryptedField(required=False, allow_blank=True)
AUTH_LDAP_CERT_CONTENT = EncryptedField(required=False, allow_blank=True)
AUTH_LDAP_KEY_CONTENT = EncryptedField(required=False, allow_blank=True)
AUTH_LDAP = serializers.BooleanField(required=False)
@@ -118,17 +118,17 @@ class LDAPSettingSerializer(LDAPSerializerMixin, serializers.Serializer):
required=False, label=_('StartTLS'),
help_text=_('Use StartTLS to upgrade ldap:// connections to TLS')
)
AUTH_LDAP_CACERT_CONTENT = serializers.CharField(
AUTH_LDAP_CACERT_CONTENT = EncryptedField(
allow_blank=True, required=False, write_only=True,
label=_('CA certificate'),
help_text=_('CA certificate for verifying LDAPS/StartTLS server')
)
AUTH_LDAP_CERT_CONTENT = serializers.CharField(
AUTH_LDAP_CERT_CONTENT = EncryptedField(
allow_blank=True, required=False, write_only=True,
label=_('Client certificate'),
help_text=_('Client certificate for mutual TLS (optional)')
)
AUTH_LDAP_KEY_CONTENT = serializers.CharField(
AUTH_LDAP_KEY_CONTENT = EncryptedField(
allow_blank=True, required=False, write_only=True,
label=_('Client private key'),
help_text=_('Client private key for mutual TLS (optional)')

View File

@@ -17,9 +17,9 @@ class LDAPHATestConfigSerializer(serializers.Serializer):
AUTH_LDAP_HA_SEARCH_FILTER = serializers.CharField()
AUTH_LDAP_HA_USER_ATTR_MAP = serializers.JSONField()
AUTH_LDAP_HA_START_TLS = serializers.BooleanField(required=False)
AUTH_LDAP_HA_CACERT_CONTENT = serializers.CharField(required=False, allow_blank=True)
AUTH_LDAP_HA_CERT_CONTENT = serializers.CharField(required=False, allow_blank=True)
AUTH_LDAP_HA_KEY_CONTENT = serializers.CharField(required=False, allow_blank=True)
AUTH_LDAP_HA_CACERT_CONTENT = EncryptedField(required=False, allow_blank=True)
AUTH_LDAP_HA_CERT_CONTENT = EncryptedField(required=False, allow_blank=True)
AUTH_LDAP_HA_KEY_CONTENT = EncryptedField(required=False, allow_blank=True)
AUTH_LDAP_HA = serializers.BooleanField(required=False)
@@ -100,17 +100,17 @@ class LDAPHASettingSerializer(LDAPSerializerMixin, serializers.Serializer):
required=False, label=_('StartTLS'),
help_text=_('Use StartTLS to upgrade ldap:// connections to TLS')
)
AUTH_LDAP_HA_CACERT_CONTENT = serializers.CharField(
AUTH_LDAP_HA_CACERT_CONTENT = EncryptedField(
allow_blank=True, required=False, write_only=True,
label=_('CA certificate'),
help_text=_('CA certificate for verifying LDAPS/StartTLS server')
)
AUTH_LDAP_HA_CERT_CONTENT = serializers.CharField(
AUTH_LDAP_HA_CERT_CONTENT = EncryptedField(
allow_blank=True, required=False, write_only=True,
label=_('Client certificate'),
help_text=_('Client certificate for mutual TLS (optional)')
)
AUTH_LDAP_HA_KEY_CONTENT = serializers.CharField(
AUTH_LDAP_HA_KEY_CONTENT = EncryptedField(
allow_blank=True, required=False, write_only=True,
label=_('Client private key'),
help_text=_('Client private key for mutual TLS (optional)')

View File

@@ -25,8 +25,12 @@ class LDAPSerializerMixin:
cert_attrs = [f'{prefix}{suffix}' for suffix in self.cert_content_suffixes]
if not any(k in self.validated_data for k in cert_attrs):
return
content_map = {
attr: self.validated_data[attr]
for attr in cert_attrs if attr in self.validated_data
}
tls_util = LDAPTLSUtil(category)
tls_util.sync_files()
tls_util.sync_files(content_map=content_map)
tls_util.refresh_global_options()
def post_save(self):

View File

@@ -198,7 +198,7 @@ class LdapWebsocket(AsyncJsonWebsocketConsumer, OrgMixin):
if not serializer.is_valid():
self.send_msg(msg=f'error: {str(serializer.errors)}')
config = self.get_ldap_config(serializer)
ok, msg = LDAPTestUtil(config).test_config()
ok, msg = LDAPTestUtil(config, category=self.category).test_config()
if ok:
self.set_task_status_over(CACHE_KEY_LDAP_TEST_CONFIG_TASK_STATUS)
return ok, msg