From 184432a2a66c27363337d6717ca0ace5c7ea8b96 Mon Sep 17 00:00:00 2001 From: Bai Date: Tue, 28 Apr 2020 21:00:22 +0800 Subject: [PATCH 1/7] =?UTF-8?q?[Update]=20=E6=9B=B4=E6=96=B0OpenID?= =?UTF-8?q?=E7=9A=84=E9=85=8D=E7=BD=AE=E9=A1=B9=E4=BB=A5=E5=8F=8A=E5=AF=B9?= =?UTF-8?q?=E5=BA=94=E7=9A=84=E4=BF=A1=E5=8F=B7=E7=9B=91=E5=90=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/audits/signals_handler.py | 4 ++-- apps/authentication/signals_handlers.py | 6 ++--- apps/jumpserver/conf.py | 7 ++---- apps/jumpserver/settings/auth.py | 7 ++---- apps/users/signals_handler.py | 30 ++++++++++--------------- 5 files changed, 21 insertions(+), 33 deletions(-) diff --git a/apps/audits/signals_handler.py b/apps/audits/signals_handler.py index dab56fa5c..b95f6fbdf 100644 --- a/apps/audits/signals_handler.py +++ b/apps/audits/signals_handler.py @@ -136,8 +136,8 @@ def on_user_auth_success(sender, user, request, **kwargs): @receiver(post_auth_failed) -def on_user_auth_failed(sender, username, request, reason, **kwargs): +def on_user_auth_failed(sender, username, request, reason='', **kwargs): logger.debug('User login failed: {}'.format(username)) data = generate_data(username, request) - data.update({'reason': reason, 'status': False}) + data.update({'reason': reason[:128], 'status': False}) write_login_log(**data) diff --git a/apps/authentication/signals_handlers.py b/apps/authentication/signals_handlers.py index 645b202c2..461ddbb99 100644 --- a/apps/authentication/signals_handlers.py +++ b/apps/authentication/signals_handlers.py @@ -1,15 +1,15 @@ from django.dispatch import receiver -from jms_oidc_rp.signals import oidc_user_login_success, oidc_user_login_failed +from jms_oidc_rp.signals import openid_user_login_failed, openid_user_login_success from .signals import post_auth_success, post_auth_failed -@receiver(oidc_user_login_success) +@receiver(openid_user_login_success) def on_oidc_user_login_success(sender, request, user, **kwargs): post_auth_success.send(sender, user=user, request=request) -@receiver(oidc_user_login_failed) +@receiver(openid_user_login_failed) def on_oidc_user_login_failed(sender, username, request, reason, **kwargs): post_auth_failed.send(sender, username=username, request=request, reason=reason) diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py index 2c0b5bf5b..26a34fed2 100644 --- a/apps/jumpserver/conf.py +++ b/apps/jumpserver/conf.py @@ -184,15 +184,12 @@ class Config(dict): 'AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT': 'https://op-example.com/logout', 'AUTH_OPENID_PROVIDER_SIGNATURE_ALG': 'HS256', 'AUTH_OPENID_PROVIDER_SIGNATURE_KEY': None, - 'AUTH_OPENID_PROVIDER_CLAIMS_NAME': None, - 'AUTH_OPENID_PROVIDER_CLAIMS_USERNAME': None, - 'AUTH_OPENID_PROVIDER_CLAIMS_EMAIL': None, 'AUTH_OPENID_SCOPES': 'openid profile email', 'AUTH_OPENID_ID_TOKEN_MAX_AGE': 60, - 'AUTH_OPENID_ID_TOKEN_INCLUDE_USERINFO': True, + 'AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS': True, 'AUTH_OPENID_USE_STATE': True, 'AUTH_OPENID_USE_NONCE': True, - 'AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION': True, + 'AUTH_OPENID_ALWAYS_UPDATE_USER': True, # OpenID 旧配置参数 (version <= 1.5.8 (discarded)) 'BASE_SITE_URL': 'http://localhost:8080', 'AUTH_OPENID_SERVER_URL': 'http://openid', diff --git a/apps/jumpserver/settings/auth.py b/apps/jumpserver/settings/auth.py index 4bb431bd5..d25a4b7bc 100644 --- a/apps/jumpserver/settings/auth.py +++ b/apps/jumpserver/settings/auth.py @@ -58,17 +58,14 @@ AUTH_OPENID_PROVIDER_USERINFO_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_USERINFO_EN AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT AUTH_OPENID_PROVIDER_SIGNATURE_ALG = CONFIG.AUTH_OPENID_PROVIDER_SIGNATURE_ALG AUTH_OPENID_PROVIDER_SIGNATURE_KEY = CONFIG.AUTH_OPENID_PROVIDER_SIGNATURE_KEY -AUTH_OPENID_PROVIDER_CLAIMS_NAME = CONFIG.AUTH_OPENID_PROVIDER_CLAIMS_NAME -AUTH_OPENID_PROVIDER_CLAIMS_USERNAME = CONFIG.AUTH_OPENID_PROVIDER_CLAIMS_USERNAME -AUTH_OPENID_PROVIDER_CLAIMS_EMAIL = CONFIG.AUTH_OPENID_PROVIDER_CLAIMS_EMAIL AUTH_OPENID_SCOPES = CONFIG.AUTH_OPENID_SCOPES AUTH_OPENID_ID_TOKEN_MAX_AGE = CONFIG.AUTH_OPENID_ID_TOKEN_MAX_AGE -AUTH_OPENID_ID_TOKEN_INCLUDE_USERINFO = CONFIG.AUTH_OPENID_ID_TOKEN_INCLUDE_USERINFO +AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS = CONFIG.AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS AUTH_OPENID_SHARE_SESSION = CONFIG.AUTH_OPENID_SHARE_SESSION AUTH_OPENID_IGNORE_SSL_VERIFICATION = CONFIG.AUTH_OPENID_IGNORE_SSL_VERIFICATION AUTH_OPENID_USE_STATE = CONFIG.AUTH_OPENID_USE_STATE AUTH_OPENID_USE_NONCE = CONFIG.AUTH_OPENID_USE_NONCE -AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION = CONFIG.AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION +AUTH_OPENID_ALWAYS_UPDATE_USER = CONFIG.AUTH_OPENID_ALWAYS_UPDATE_USER AUTH_OPENID_AUTH_LOGIN_URL_NAME = 'authentication:oidc:login' AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME = 'authentication:oidc:login-callback' AUTH_OPENID_AUTH_LOGOUT_URL_NAME = 'authentication:oidc:logout' diff --git a/apps/users/signals_handler.py b/apps/users/signals_handler.py index 17e11af84..191249296 100644 --- a/apps/users/signals_handler.py +++ b/apps/users/signals_handler.py @@ -7,11 +7,9 @@ from django_auth_ldap.backend import populate_user from django.conf import settings from django_cas_ng.signals import cas_user_authenticated -from jms_oidc_rp.signals import oidc_user_created, oidc_user_updated -from jms_oidc_rp.backends import get_userinfo_from_claims +from jms_oidc_rp.signals import openid_user_create_or_update from common.utils import get_logger -from .utils import construct_user_email from .signals import post_user_create from .models import User @@ -55,19 +53,15 @@ def on_ldap_create_user(sender, user, ldap_user, **kwargs): user.save() -@receiver(oidc_user_created) -def on_oidc_user_created(sender, request, oidc_user, **kwargs): - oidc_user.user.source = User.SOURCE_OPENID - oidc_user.user.save() - - -@receiver(oidc_user_updated) -def on_oidc_user_updated(sender, request, oidc_user, **kwargs): - if not settings.AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION: +@receiver(openid_user_create_or_update) +def on_openid_user_create_or_update(sender, request, user, created, name, username, email): + if created: + user.source = User.SOURCE_OPENID + user.save() return - name, username, email = get_userinfo_from_claims(oidc_user.userinfo) - email = construct_user_email(username, email) - oidc_user.user.name = name - oidc_user.user.username = username - oidc_user.user.email = email - oidc_user.user.save() + + if not created and settings.AUTH_OPENID_ALWAYS_UPDATE_USER: + user.name = name + user.username = username + user.email = email + user.save() From 87242c13a13d87934859838d5c059d787bec7a7a Mon Sep 17 00:00:00 2001 From: Bai Date: Tue, 28 Apr 2020 21:06:13 +0800 Subject: [PATCH 2/7] =?UTF-8?q?[Update]=20=E4=BF=AE=E6=94=B9=E4=BF=A1?= =?UTF-8?q?=E5=8F=B7=E7=9B=91=E5=90=ACkwargs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/users/signals_handler.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/users/signals_handler.py b/apps/users/signals_handler.py index 191249296..622f4a9f8 100644 --- a/apps/users/signals_handler.py +++ b/apps/users/signals_handler.py @@ -54,7 +54,7 @@ def on_ldap_create_user(sender, user, ldap_user, **kwargs): @receiver(openid_user_create_or_update) -def on_openid_user_create_or_update(sender, request, user, created, name, username, email): +def on_openid_user_create_or_update(sender, request, user, created, name, username, email, **kwargs): if created: user.source = User.SOURCE_OPENID user.save() From c0089a98f41caf9874a598ba32dfe99c5f615287 Mon Sep 17 00:00:00 2001 From: Bai Date: Tue, 28 Apr 2020 22:29:56 +0800 Subject: [PATCH 3/7] =?UTF-8?q?[Update]=20=E4=BF=AE=E6=94=B9openid?= =?UTF-8?q?=E4=BF=A1=E5=8F=B7=E5=90=8D=E7=A7=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/users/signals_handler.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/apps/users/signals_handler.py b/apps/users/signals_handler.py index 622f4a9f8..9d6c96c02 100644 --- a/apps/users/signals_handler.py +++ b/apps/users/signals_handler.py @@ -7,7 +7,7 @@ from django_auth_ldap.backend import populate_user from django.conf import settings from django_cas_ng.signals import cas_user_authenticated -from jms_oidc_rp.signals import openid_user_create_or_update +from jms_oidc_rp.signals import openid_create_or_update_user from common.utils import get_logger from .signals import post_user_create @@ -53,14 +53,12 @@ def on_ldap_create_user(sender, user, ldap_user, **kwargs): user.save() -@receiver(openid_user_create_or_update) -def on_openid_user_create_or_update(sender, request, user, created, name, username, email, **kwargs): +@receiver(openid_create_or_update_user) +def on_openid_create_or_update_user(sender, request, user, created, name, username, email, **kwargs): if created: user.source = User.SOURCE_OPENID user.save() - return - - if not created and settings.AUTH_OPENID_ALWAYS_UPDATE_USER: + elif not created and settings.AUTH_OPENID_ALWAYS_UPDATE_USER: user.name = name user.username = username user.email = email From 9eee79f7d4b13855d687e12511617d317cad7b3a Mon Sep 17 00:00:00 2001 From: Bai Date: Wed, 29 Apr 2020 00:43:54 +0800 Subject: [PATCH 4/7] =?UTF-8?q?[Update]=20=E8=B0=83=E6=95=B4openid=20backe?= =?UTF-8?q?nd=E9=A1=BA=E5=BA=8F=EF=BC=9Bopenid=20=E7=94=A8=E6=88=B7?= =?UTF-8?q?=E5=88=9B=E5=BB=BA/=E6=9B=B4=E6=96=B0=E6=B7=BB=E5=8A=A0?= =?UTF-8?q?=E6=97=A5=E5=BF=97=E8=BE=93=E5=87=BA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/jumpserver/conf.py | 2 +- apps/users/signals_handler.py | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py index 26a34fed2..2b68bfdc5 100644 --- a/apps/jumpserver/conf.py +++ b/apps/jumpserver/conf.py @@ -427,8 +427,8 @@ class DynamicConfig: if self.static_config.get('AUTH_CAS'): backends.insert(0, 'authentication.backends.cas.CASBackend') if self.static_config.get('AUTH_OPENID'): - backends.insert(0, 'jms_oidc_rp.backends.OIDCAuthCodeBackend') backends.insert(0, 'jms_oidc_rp.backends.OIDCAuthPasswordBackend') + backends.insert(0, 'jms_oidc_rp.backends.OIDCAuthCodeBackend') if self.static_config.get('AUTH_RADIUS'): backends.insert(0, 'authentication.backends.radius.RadiusBackend') return backends diff --git a/apps/users/signals_handler.py b/apps/users/signals_handler.py index 9d6c96c02..37f7c42fc 100644 --- a/apps/users/signals_handler.py +++ b/apps/users/signals_handler.py @@ -56,9 +56,18 @@ def on_ldap_create_user(sender, user, ldap_user, **kwargs): @receiver(openid_create_or_update_user) def on_openid_create_or_update_user(sender, request, user, created, name, username, email, **kwargs): if created: + logger.debug( + "Receive OpenID user created signal: {}, " + "Set user source is: {}".format(user, User.SOURCE_OPENID) + ) user.source = User.SOURCE_OPENID user.save() elif not created and settings.AUTH_OPENID_ALWAYS_UPDATE_USER: + logger.debug( + "Receive OpenID user updated signal: {}, " + "Update user info: {}" + "".format(user, "name: {}|username: {}|email: {}".format(name, username, email)) + ) user.name = name user.username = username user.email = email From 23f9454e5dc343da825f3eab529881f98508bab7 Mon Sep 17 00:00:00 2001 From: Bai Date: Wed, 29 Apr 2020 01:12:00 +0800 Subject: [PATCH 5/7] =?UTF-8?q?[Update]=20=E4=BF=AE=E6=94=B9Url=20name=20(?= =?UTF-8?q?oidc=20=3D>=20openi)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/authentication/templates/authentication/login.html | 2 +- apps/authentication/urls/view_urls.py | 2 +- apps/jumpserver/settings/auth.py | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/apps/authentication/templates/authentication/login.html b/apps/authentication/templates/authentication/login.html index 1f842d7a2..9cacdf4ff 100644 --- a/apps/authentication/templates/authentication/login.html +++ b/apps/authentication/templates/authentication/login.html @@ -56,7 +56,7 @@

{% trans "More login options" %}

- diff --git a/apps/authentication/urls/view_urls.py b/apps/authentication/urls/view_urls.py index 6c6d110d1..bee5f8517 100644 --- a/apps/authentication/urls/view_urls.py +++ b/apps/authentication/urls/view_urls.py @@ -17,5 +17,5 @@ urlpatterns = [ # openid path('cas/', include(('authentication.backends.cas.urls', 'authentication'), namespace='cas')), - path('oidc/', include(('jms_oidc_rp.urls', 'authentication'), namespace='oidc')), + path('openid/', include(('jms_oidc_rp.urls', 'authentication'), namespace='openid')), ] diff --git a/apps/jumpserver/settings/auth.py b/apps/jumpserver/settings/auth.py index d25a4b7bc..920fdb119 100644 --- a/apps/jumpserver/settings/auth.py +++ b/apps/jumpserver/settings/auth.py @@ -66,9 +66,9 @@ AUTH_OPENID_IGNORE_SSL_VERIFICATION = CONFIG.AUTH_OPENID_IGNORE_SSL_VERIFICATION AUTH_OPENID_USE_STATE = CONFIG.AUTH_OPENID_USE_STATE AUTH_OPENID_USE_NONCE = CONFIG.AUTH_OPENID_USE_NONCE AUTH_OPENID_ALWAYS_UPDATE_USER = CONFIG.AUTH_OPENID_ALWAYS_UPDATE_USER -AUTH_OPENID_AUTH_LOGIN_URL_NAME = 'authentication:oidc:login' -AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME = 'authentication:oidc:login-callback' -AUTH_OPENID_AUTH_LOGOUT_URL_NAME = 'authentication:oidc:logout' +AUTH_OPENID_AUTH_LOGIN_URL_NAME = 'authentication:openid:login' +AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME = 'authentication:openid:login-callback' +AUTH_OPENID_AUTH_LOGOUT_URL_NAME = 'authentication:openid:logout' # ============================================================================== # Radius Auth From 6eaba4e2fb610276dff953a91a3391d26b248f00 Mon Sep 17 00:00:00 2001 From: Bai Date: Wed, 29 Apr 2020 14:03:48 +0800 Subject: [PATCH 6/7] =?UTF-8?q?[Update]=20openid=E9=85=8D=E7=BD=AE?= =?UTF-8?q?=E5=88=86=E5=9D=97?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/jumpserver/settings/auth.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apps/jumpserver/settings/auth.py b/apps/jumpserver/settings/auth.py index 920fdb119..516671980 100644 --- a/apps/jumpserver/settings/auth.py +++ b/apps/jumpserver/settings/auth.py @@ -61,10 +61,11 @@ AUTH_OPENID_PROVIDER_SIGNATURE_KEY = CONFIG.AUTH_OPENID_PROVIDER_SIGNATURE_KEY AUTH_OPENID_SCOPES = CONFIG.AUTH_OPENID_SCOPES AUTH_OPENID_ID_TOKEN_MAX_AGE = CONFIG.AUTH_OPENID_ID_TOKEN_MAX_AGE AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS = CONFIG.AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS -AUTH_OPENID_SHARE_SESSION = CONFIG.AUTH_OPENID_SHARE_SESSION -AUTH_OPENID_IGNORE_SSL_VERIFICATION = CONFIG.AUTH_OPENID_IGNORE_SSL_VERIFICATION AUTH_OPENID_USE_STATE = CONFIG.AUTH_OPENID_USE_STATE AUTH_OPENID_USE_NONCE = CONFIG.AUTH_OPENID_USE_NONCE + +AUTH_OPENID_SHARE_SESSION = CONFIG.AUTH_OPENID_SHARE_SESSION +AUTH_OPENID_IGNORE_SSL_VERIFICATION = CONFIG.AUTH_OPENID_IGNORE_SSL_VERIFICATION AUTH_OPENID_ALWAYS_UPDATE_USER = CONFIG.AUTH_OPENID_ALWAYS_UPDATE_USER AUTH_OPENID_AUTH_LOGIN_URL_NAME = 'authentication:openid:login' AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME = 'authentication:openid:login-callback' From e4b788a012c5e47614b2eb95ca01b58a023f871d Mon Sep 17 00:00:00 2001 From: Bai Date: Wed, 29 Apr 2020 14:07:54 +0800 Subject: [PATCH 7/7] =?UTF-8?q?[Update]=20=E4=BF=AE=E6=94=B9=E4=BE=9D?= =?UTF-8?q?=E8=B5=96=E7=89=88=E6=9C=AC=20jumpserver-dajngo-oidc-rp=20(0.3.?= =?UTF-8?q?7.2)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- requirements/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements/requirements.txt b/requirements/requirements.txt index 81019d249..b34351e65 100644 --- a/requirements/requirements.txt +++ b/requirements/requirements.txt @@ -96,4 +96,4 @@ ipython huaweicloud-sdk-python==1.0.21 django-redis==4.11.0 python-redis-lock==3.5.0 -jumpserver-django-oidc-rp==0.3.7.1 +jumpserver-django-oidc-rp==0.3.7.2