fix(auth): 第三方用户（saml2）登录规则设置无效 (#8648)

* fix: 修复 OpenID、CAS、SAML2登录规则设置无效 * refactor: auth_third_party_required写到一个地方和优化代码结构 * refactor: 优化代码结构 * refactor: 修改变量名称 Co-authored-by: huangzhiwen <zhiwen.huang@fit2cloud.com>
2025-09-05 09:21:02 +00:00 · 2022-08-09 11:24:28 +08:00
parent c295f1451a
commit 3951b8b080
5 changed files with 118 additions and 2 deletions
--- a/apps/authentication/middleware.py
+++ b/apps/authentication/middleware.py
@@ -1,11 +1,15 @@
 import base64

-from django.shortcuts import redirect, reverse
+from django.shortcuts import redirect, reverse, render
 from django.utils.deprecation import MiddlewareMixin
 from django.http import HttpResponse
 from django.conf import settings
+from django.utils.translation import ugettext as _
+from django.contrib.auth import logout as auth_logout

+from apps.authentication import mixins
 from common.utils import gen_key_pair
+from common.utils import get_request_ip


 class MFAMiddleware:
@@ -13,6 +17,7 @@ class MFAMiddleware:
    这个 中间件 是用来全局拦截开启了 MFA 却没有认证的，如 OIDC, CAS，使用第三方库做的登录，直接 login 了，
    所以只能在 Middleware 中控制
    """
+
    def __init__(self, get_response):
        self.get_response = get_response

@@ -42,6 +47,43 @@ class MFAMiddleware:
        return redirect(url)


+class ThirdPartyLoginMiddleware(mixins.AuthMixin):
+    """OpenID、CAS、SAML2登录规则设置验证"""
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        response = self.get_response(request)
+        # 没有认证过，证明不是从 第三方 来的
+        if request.user.is_anonymous:
+            return response
+        if not request.session.get('auth_third_party_required'):
+            return response
+        ip = get_request_ip(request)
+        try:
+            self._check_login_acl(request.user, ip)
+        except Exception as e:
+            auth_logout(request)
+            context = {
+                'title': _('Authentication failed'),
+                'message': _('Authentication failed (before login check failed): {}').format(e),
+                'interval': 10,
+                'redirect_url': reverse('authentication:login'),
+                'auto_redirect': True,
+            }
+            response = render(request, 'authentication/auth_fail_flash_message_standalone.html', context)
+        else:
+            guard_url = reverse('authentication:login-guard')
+            args = request.META.get('QUERY_STRING', '')
+            if args:
+                guard_url = "%s?%s" % (guard_url, args)
+            response = redirect(guard_url)
+        finally:
+            request.session.pop('auth_third_party_required', '')
+            return response
+
+
 class SessionCookieMiddleware(MiddlewareMixin):

    @staticmethod