diff --git a/apps/authentication/backends/oidc/backends.py b/apps/authentication/backends/oidc/backends.py index ddee19731..8a70b4027 100644 --- a/apps/authentication/backends/oidc/backends.py +++ b/apps/authentication/backends/oidc/backends.py @@ -224,7 +224,6 @@ class OIDCAuthCodeBackend(OIDCBaseBackend): user_auth_failed.send( sender=self.__class__, request=request, username=user.username, reason="User is invalid", backend=settings.AUTH_BACKEND_OIDC_CODE - ) return None diff --git a/apps/authentication/backends/oidc/utils.py b/apps/authentication/backends/oidc/utils.py index 31cca6f03..de9230a62 100644 --- a/apps/authentication/backends/oidc/utils.py +++ b/apps/authentication/backends/oidc/utils.py @@ -10,16 +10,15 @@ import datetime as dt from calendar import timegm from urllib.parse import urlparse +from django.conf import settings from django.core.exceptions import SuspiciousOperation from django.utils.encoding import force_bytes, smart_bytes from jwkest import JWKESTException from jwkest.jwk import KEYS from jwkest.jws import JWS -from django.conf import settings from common.utils import get_logger - logger = get_logger(__file__) @@ -99,7 +98,8 @@ def _validate_claims(id_token, nonce=None, validate_nonce=True): raise SuspiciousOperation('Incorrect id_token: nbf') # Verifies that the token was issued in the allowed timeframe. - if utc_timestamp > id_token['iat'] + settings.AUTH_OPENID_ID_TOKEN_MAX_AGE: + max_age = settings.AUTH_OPENID_ID_TOKEN_MAX_AGE + if utc_timestamp > id_token['iat'] + max_age: logger.debug(log_prompt.format('Incorrect id_token: iat')) raise SuspiciousOperation('Incorrect id_token: iat') diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py index cc7b20840..f980f11ae 100644 --- a/apps/jumpserver/conf.py +++ b/apps/jumpserver/conf.py @@ -349,7 +349,7 @@ class Config(dict): 'AUTH_OPENID_PROVIDER_SIGNATURE_ALG': 'HS256', 'AUTH_OPENID_PROVIDER_SIGNATURE_KEY': None, 'AUTH_OPENID_SCOPES': 'openid profile email', - 'AUTH_OPENID_ID_TOKEN_MAX_AGE': 60, + 'AUTH_OPENID_ID_TOKEN_MAX_AGE': 600, 'AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS': True, 'AUTH_OPENID_USE_STATE': True, 'AUTH_OPENID_USE_NONCE': True, diff --git a/apps/users/signal_handlers.py b/apps/users/signal_handlers.py index 24ac42263..955fbec78 100644 --- a/apps/users/signal_handlers.py +++ b/apps/users/signal_handlers.py @@ -155,11 +155,13 @@ def radius_create_user(sender, user, **kwargs): @receiver(openid_create_or_update_user) def on_openid_create_or_update_user(sender, user, created, attrs, **kwargs): + group_names = attrs.get('groups') if created: org_ids = bind_user_to_org_role(user) - group_names = attrs.get('groups') - bind_user_to_group(org_ids, group_names, user) + else: + org_ids = user.joined_orgs.values_list('id', flat=True) + bind_user_to_group(org_ids, group_names, user) source = User.Source.openid.value user_authenticated_handle(user, created, source, attrs, **kwargs) @@ -235,6 +237,7 @@ def bind_user_to_group(org_ids, group_names, user): return org_ids = org_ids or [Organization.DEFAULT_ID] + org_ids = [str(i) for i in org_ids if i] with tmp_to_root_org(): existing_groups = UserGroup.objects.filter(org_id__in=org_ids).values_list('org_id', 'name') @@ -252,12 +255,19 @@ def bind_user_to_group(org_ids, group_names, user): ) UserGroup.objects.bulk_create(groups_to_create) - user_groups = UserGroup.objects.filter(org_id__in=org_ids, name__in=group_names) + user_group_ids = set(user_groups.values_list('id', flat=True)) + exist_group_ids = set( + User.groups.through.objects.filter(user_id=user.id) + .values_list('usergroup_id', flat=True) + ) + need_add_group_ids = user_group_ids - exist_group_ids + user_group_links = [ - User.groups.through(user_id=user.id, usergroup_id=group.id) - for group in user_groups + User.groups.through(user_id=user.id, usergroup_id=group_id) + for group_id in need_add_group_ids ] + if user_group_links: - User.groups.through.objects.bulk_create(user_group_links) + User.groups.through.objects.bulk_create(user_group_links, ignore_conflicts=True)