diff --git a/Dockerfile-ee b/Dockerfile-ee index 6ac258b5d..5f4baf4c4 100644 --- a/Dockerfile-ee +++ b/Dockerfile-ee @@ -1,27 +1,5 @@ ARG VERSION=dev -FROM python:3.14-slim-trixie AS gmssl-builder -WORKDIR /app -ARG GMSSL_VERSION=3.1.1 -RUN set -ex \ - && apt-get update \ - && apt-get install -y --no-install-recommends \ - git \ - cmake \ - make \ - gcc \ - g++ \ - ca-certificates \ - && rm -rf /var/lib/apt/lists/* - -RUN set -ex \ - && git clone --branch v${GMSSL_VERSION} https://github.com/guanzhi/GmSSL.git \ - && cd GmSSL \ - && mkdir build \ - && cd build \ - && cmake .. \ - && make \ - && make -j"$(nproc)" \ - && make install +FROM jumpserver/gmssl:3.1.1-trixie AS gmssl-builder FROM registry.fit2cloud.com/jumpserver/xpack:${VERSION} AS build-xpack FROM jumpserver/core:${VERSION}-ce @@ -44,8 +22,6 @@ WORKDIR /opt/jumpserver ARG PIP_MIRROR=https://pypi.org/simple -ARG GMSSL_VERSION=3.1.1 - RUN set -ex \ && uv pip install -i${PIP_MIRROR} --group xpack \ && rm -rf /root/.cache/ diff --git a/apps/accounts/serializers/automations/change_secret.py b/apps/accounts/serializers/automations/change_secret.py index e5510b7cc..288be098f 100644 --- a/apps/accounts/serializers/automations/change_secret.py +++ b/apps/accounts/serializers/automations/change_secret.py @@ -13,6 +13,7 @@ from accounts.models import ( ) from accounts.serializers import AuthValidateMixin, PasswordRulesSerializer from assets.models import Asset +from common.serializers import SecretReadableCheckMixin from common.serializers.fields import LabeledChoiceField, ObjectRelatedField from common.utils import get_logger from .base import BaseAutomationSerializer @@ -134,12 +135,13 @@ class ChangeSecretRecordSerializer(serializers.ModelSerializer): return obj.status == ChangeSecretRecordStatusChoice.success -class ChangeSecretRecordViewSecretSerializer(serializers.ModelSerializer): +class ChangeSecretRecordViewSecretSerializer(SecretReadableCheckMixin, serializers.ModelSerializer): class Meta: model = ChangeSecretRecord fields = [ 'id', 'old_secret', 'new_secret', ] + secret_fields = ['old_secret', 'new_secret'] read_only_fields = fields diff --git a/apps/authentication/backends/ukey/backends.py b/apps/authentication/backends/ukey/backends.py index c937951e5..cde2438b4 100644 --- a/apps/authentication/backends/ukey/backends.py +++ b/apps/authentication/backends/ukey/backends.py @@ -7,6 +7,7 @@ import tempfile from django.conf import settings from django.core.exceptions import PermissionDenied +from django.utils.translation import gettext_lazy as _ from users.models import User from common.utils import get_logger @@ -24,6 +25,7 @@ from .exceptions import ( UKeyCertUnsupportedAlgorithmError, ) from .utils import is_sm2_pem +from authentication.errors.const import reason_user_inactive, reason_choices __all__ = ['UKeyBackend'] @@ -45,9 +47,14 @@ class UKeyBackend(JMSBaseAuthBackend): user = self._check_user_and_ukey_sn(username, ukey_sn) cert_pem = self._load_cert_pem(cert) if self._is_sm2_cert(cert_pem): - return self._authenticate_sm2(cert_pem, username, signature, challenge, user) + user = self._authenticate_sm2(cert_pem, username, signature, challenge, user) else: - return self._authenticate_other(cert_pem, username, signature, challenge, user) + user = self._authenticate_other(cert_pem, username, signature, challenge, user) + if self.user_can_authenticate(user): + return user + else: + error = reason_choices[reason_user_inactive] + raise PermissionDenied(error) except Exception as e: if request: request.error_message = str(e) diff --git a/apps/authentication/backends/ukey/vendors/ji_da/sdk_config.yaml b/apps/authentication/backends/ukey/vendors/ji_da/sdk_config.yaml index 77d5e5da8..2815f7ec1 100644 --- a/apps/authentication/backends/ukey/vendors/ji_da/sdk_config.yaml +++ b/apps/authentication/backends/ukey/vendors/ji_da/sdk_config.yaml @@ -297,7 +297,7 @@ operations: url_format: user_id: "{{ user.id }}" body: - ukey_sn: null + ukey_sn: "" register: user - key: issueCert diff --git a/apps/authentication/backends/ukey/vendors/long_mai/sdk_config.yaml b/apps/authentication/backends/ukey/vendors/long_mai/sdk_config.yaml index 39028feff..3cb850247 100644 --- a/apps/authentication/backends/ukey/vendors/long_mai/sdk_config.yaml +++ b/apps/authentication/backends/ukey/vendors/long_mai/sdk_config.yaml @@ -359,7 +359,7 @@ operations: url_format: user_id: "{{ user.id }}" body: - ukey_sn: null + ukey_sn: "" register: user - key: issueCert diff --git a/apps/authentication/backends/ukey/views.py b/apps/authentication/backends/ukey/views.py index 23048f70c..e85ba9271 100644 --- a/apps/authentication/backends/ukey/views.py +++ b/apps/authentication/backends/ukey/views.py @@ -5,7 +5,6 @@ from urllib.parse import urlencode from django.conf import settings from django.contrib.auth import authenticate -from django.contrib import messages from django.core.cache import cache from django.utils.decorators import method_decorator from django.utils.translation import gettext as _ @@ -27,6 +26,7 @@ from .sdk import ukey_sdk_config __all__ = ['UKeyLoginView'] _CHALLENGE_CACHE_KEY_PREFIX = 'ukey_login_challenge' +_UKEY_ERROR_SESSION_KEY = 'ukey_login_error' @method_decorator(sensitive_post_parameters(), name='dispatch') @method_decorator(csrf_protect, name='dispatch') @@ -79,6 +79,7 @@ class UKeyLoginView(AuthMixin, FormView): def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) context['challenge'] = self._generate_and_store_challenge() + context['error_msg'] = self.request.session.pop(_UKEY_ERROR_SESSION_KEY, '') return context def form_valid(self, form): @@ -155,7 +156,7 @@ class UKeyLoginView(AuthMixin, FormView): return field_name def get_failed_response(self, form, username, error_msg): - messages.error(self.request, error_msg) + self.request.session[_UKEY_ERROR_SESSION_KEY] = str(error_msg or _('Unknown')) self.send_auth_signal(success=False, reason=error_msg, username=username) return redirect(self._build_login_redirect_url()) diff --git a/apps/authentication/templates/authentication/auth_fail_flash_message_standalone.html b/apps/authentication/templates/authentication/auth_fail_flash_message_standalone.html index 1ac57cd92..c3ab04d87 100644 --- a/apps/authentication/templates/authentication/auth_fail_flash_message_standalone.html +++ b/apps/authentication/templates/authentication/auth_fail_flash_message_standalone.html @@ -56,7 +56,7 @@ } function redirect_page() { - if (time >= 0) { + if (time > 0) { var msg = message + ', ' + time + ' ...'; $('#messages').html(msg); time--; diff --git a/apps/authentication/templates/authentication/login_ukey.html b/apps/authentication/templates/authentication/login_ukey.html index bb21be15e..c26758a74 100644 --- a/apps/authentication/templates/authentication/login_ukey.html +++ b/apps/authentication/templates/authentication/login_ukey.html @@ -202,11 +202,9 @@