From 817957dbac9b1b2f72fa62a3aadddaac1e869984 Mon Sep 17 00:00:00 2001
From: Bai <baijiangjie@gmail.com>
Date: Mon, 9 Dec 2024 14:13:44 +0800
Subject: [PATCH] fix: fixed an issue where auth backend could pass inspect
---
apps/authentication/backends/custom.py | 11 ++--
.../backends/oauth2/backends.py | 6 +--
apps/authentication/backends/oidc/backends.py | 8 +--
.../authentication/backends/oidc/decorator.py | 3 ++
.../backends/radius/backends.py | 4 +-
.../authentication/backends/saml2/backends.py | 6 +--
apps/authentication/backends/sso.py | 50 +++++--------------
apps/authentication/backends/token.py | 13 ++---
apps/rbac/backends.py | 2 +-
9 files changed, 42 insertions(+), 61 deletions(-)
diff --git a/apps/authentication/backends/custom.py b/apps/authentication/backends/custom.py
index 3f2b05940..77109b1fd 100644
--- a/apps/authentication/backends/custom.py
+++ b/apps/authentication/backends/custom.py
@@ -5,7 +5,7 @@ from django.utils.translation import gettext_lazy as _
from authentication.signals import user_auth_failed, user_auth_success
from common.utils import get_logger
-from .base import JMSModelBackend
+from .base import JMSBaseAuthBackend
logger = get_logger(__file__)
@@ -20,9 +20,10 @@ if settings.AUTH_CUSTOM:
logger.warning('Import custom auth method failed: {}, Maybe not enabled'.format(e))
-class CustomAuthBackend(JMSModelBackend):
+class CustomAuthBackend(JMSBaseAuthBackend):
- def is_enabled(self):
+ @staticmethod
+ def is_enabled():
return settings.AUTH_CUSTOM and callable(custom_authenticate_method)
@staticmethod
@@ -35,10 +36,10 @@ class CustomAuthBackend(JMSModelBackend):
)
return user, created
- def authenticate(self, request, username=None, password=None, **kwargs):
+ def authenticate(self, request, username=None, password=None):
try:
userinfo: dict = custom_authenticate_method(
- username=username, password=password, **kwargs
+ username=username, password=password
)
user, created = self.get_or_create_user_from_userinfo(userinfo)
except Exception as e:
diff --git a/apps/authentication/backends/oauth2/backends.py b/apps/authentication/backends/oauth2/backends.py
index 98cc52195..a6554c992 100644
--- a/apps/authentication/backends/oauth2/backends.py
+++ b/apps/authentication/backends/oauth2/backends.py
@@ -18,7 +18,7 @@ from common.exceptions import JMSException
from .signals import (
oauth2_create_or_update_user
)
-from ..base import JMSModelBackend
+from ..base import JMSBaseAuthBackend
__all__ = ['OAuth2Backend']
@@ -26,7 +26,7 @@ __all__ = ['OAuth2Backend']
logger = get_logger(__name__)
-class OAuth2Backend(JMSModelBackend):
+class OAuth2Backend(JMSBaseAuthBackend):
@staticmethod
def is_enabled():
return settings.AUTH_OAUTH2
@@ -68,7 +68,7 @@ class OAuth2Backend(JMSModelBackend):
response_data = response_data['data']
return response_data
- def authenticate(self, request, code=None, **kwargs):
+ def authenticate(self, request, code=None):
log_prompt = "Process authenticate [OAuth2Backend]: {}"
logger.debug(log_prompt.format('Start'))
if code is None:
diff --git a/apps/authentication/backends/oidc/backends.py b/apps/authentication/backends/oidc/backends.py
index cd27865e7..82a1391ce 100644
--- a/apps/authentication/backends/oidc/backends.py
+++ b/apps/authentication/backends/oidc/backends.py
@@ -86,7 +86,7 @@ class OIDCAuthCodeBackend(OIDCBaseBackend):
"""
@ssl_verification
- def authenticate(self, request, nonce=None, code_verifier=None, **kwargs):
+ def authenticate(self, request, nonce=None, code_verifier=None):
""" Authenticates users in case of the OpenID Connect Authorization code flow. """
log_prompt = "Process authenticate [OIDCAuthCodeBackend]: {}"
logger.debug(log_prompt.format('start'))
@@ -233,15 +233,15 @@ class OIDCAuthCodeBackend(OIDCBaseBackend):
class OIDCAuthPasswordBackend(OIDCBaseBackend):
@ssl_verification
- def authenticate(self, request, username=None, password=None, **kwargs):
+ def authenticate(self, request, username=None, password=None):
try:
- return self._authenticate(request, username, password, **kwargs)
+ return self._authenticate(request, username, password)
except Exception as e:
error = f'Authenticate exception: {e}'
logger.error(error, exc_info=True)
return
- def _authenticate(self, request, username=None, password=None, **kwargs):
+ def _authenticate(self, request, username=None, password=None):
"""
https://oauth.net/2/
https://aaronparecki.com/oauth-2-simplified/#password
diff --git a/apps/authentication/backends/oidc/decorator.py b/apps/authentication/backends/oidc/decorator.py
index e28813de8..e39b9ebf2 100644
--- a/apps/authentication/backends/oidc/decorator.py
+++ b/apps/authentication/backends/oidc/decorator.py
@@ -4,7 +4,9 @@
import warnings
import contextlib
import requests
+import inspect
+from functools import wraps
from django.conf import settings
from urllib3.exceptions import InsecureRequestWarning
@@ -52,6 +54,7 @@ def no_ssl_verification():
def ssl_verification(func):
+ @wraps(func)
def wrapper(*args, **kwargs):
if not settings.AUTH_OPENID_IGNORE_SSL_VERIFICATION:
return func(*args, **kwargs)
diff --git a/apps/authentication/backends/radius/backends.py b/apps/authentication/backends/radius/backends.py
index 148e9bac2..95ce1d7b2 100644
--- a/apps/authentication/backends/radius/backends.py
+++ b/apps/authentication/backends/radius/backends.py
@@ -51,10 +51,10 @@ class RadiusBaseBackend(CreateUserMixin, JMSBaseAuthBackend):
class RadiusBackend(RadiusBaseBackend, RADIUSBackend):
- def authenticate(self, request, username='', password='', **kwargs):
+ def authenticate(self, request, username='', password=''):
return super().authenticate(request, username=username, password=password)
class RadiusRealmBackend(RadiusBaseBackend, RADIUSRealmBackend):
- def authenticate(self, request, username='', password='', realm=None, **kwargs):
+ def authenticate(self, request, username='', password='', realm=None):
return super().authenticate(request, username=username, password=password, realm=realm)
diff --git a/apps/authentication/backends/saml2/backends.py b/apps/authentication/backends/saml2/backends.py
index ac2aa7bb7..52bc79501 100644
--- a/apps/authentication/backends/saml2/backends.py
+++ b/apps/authentication/backends/saml2/backends.py
@@ -10,14 +10,14 @@ from .signals import (
saml2_create_or_update_user
)
from authentication.signals import user_auth_failed, user_auth_success
-from ..base import JMSModelBackend
+from ..base import JMSBaseAuthBackend
__all__ = ['SAML2Backend']
logger = get_logger(__name__)
-class SAML2Backend(JMSModelBackend):
+class SAML2Backend(JMSBaseAuthBackend):
@staticmethod
def is_enabled():
return settings.AUTH_SAML2
@@ -42,7 +42,7 @@ class SAML2Backend(JMSModelBackend):
)
return user, created
- def authenticate(self, request, saml_user_data=None, **kwargs):
+ def authenticate(self, request, saml_user_data=None):
log_prompt = "Process authenticate [SAML2Backend]: {}"
logger.debug(log_prompt.format('Start'))
if saml_user_data is None:
diff --git a/apps/authentication/backends/sso.py b/apps/authentication/backends/sso.py
index 5ee17a4ca..cc02b0d0d 100644
--- a/apps/authentication/backends/sso.py
+++ b/apps/authentication/backends/sso.py
@@ -1,57 +1,41 @@
from django.conf import settings
-from .base import JMSModelBackend
+from .base import JMSBaseAuthBackend
-class SSOAuthentication(JMSModelBackend):
- """
- 什么也不做呀😺
- """
-
+class SSOAuthentication(JMSBaseAuthBackend):
@staticmethod
def is_enabled():
return settings.AUTH_SSO
- def authenticate(self, request, sso_token=None, **kwargs):
+ def authenticate(self):
pass
-class WeComAuthentication(JMSModelBackend):
- """
- 什么也不做呀😺
- """
-
+class WeComAuthentication(JMSBaseAuthBackend):
@staticmethod
def is_enabled():
return settings.AUTH_WECOM
- def authenticate(self, request, **kwargs):
+ def authenticate(self):
pass
-class DingTalkAuthentication(JMSModelBackend):
- """
- 什么也不做呀😺
- """
-
+class DingTalkAuthentication(JMSBaseAuthBackend):
@staticmethod
def is_enabled():
return settings.AUTH_DINGTALK
- def authenticate(self, request, **kwargs):
+ def authenticate(self):
pass
-class FeiShuAuthentication(JMSModelBackend):
- """
- 什么也不做呀😺
- """
-
+class FeiShuAuthentication(JMSBaseAuthBackend):
@staticmethod
def is_enabled():
return settings.AUTH_FEISHU
- def authenticate(self, request, **kwargs):
+ def authenticate(self):
pass
@@ -61,23 +45,15 @@ class LarkAuthentication(FeiShuAuthentication):
return settings.AUTH_LARK
-class SlackAuthentication(JMSModelBackend):
- """
- 什么也不做呀😺
- """
-
+class SlackAuthentication(JMSBaseAuthBackend):
@staticmethod
def is_enabled():
return settings.AUTH_SLACK
- def authenticate(self, request, **kwargs):
+ def authenticate(self):
pass
-class AuthorizationTokenAuthentication(JMSModelBackend):
- """
- 什么也不做呀😺
- """
-
- def authenticate(self, request, **kwargs):
+class AuthorizationTokenAuthentication(JMSBaseAuthBackend):
+ def authenticate(self):
pass
diff --git a/apps/authentication/backends/token.py b/apps/authentication/backends/token.py
index be9cb9032..8881448de 100644
--- a/apps/authentication/backends/token.py
+++ b/apps/authentication/backends/token.py
@@ -3,13 +3,17 @@ from django.conf import settings
from django.core.exceptions import PermissionDenied
from authentication.models import TempToken
-from .base import JMSModelBackend
+from .base import JMSBaseAuthBackend
-class TempTokenAuthBackend(JMSModelBackend):
+class TempTokenAuthBackend(JMSBaseAuthBackend):
model = TempToken
- def authenticate(self, request, username='', password='', *args, **kwargs):
+ @staticmethod
+ def is_enabled():
+ return settings.AUTH_TEMP_TOKEN
+
+ def authenticate(self, request, username='', password=''):
token = self.model.objects.filter(username=username, secret=password).first()
if not token:
return None
@@ -21,6 +25,3 @@ class TempTokenAuthBackend(JMSModelBackend):
token.save()
return token.user
- @staticmethod
- def is_enabled():
- return settings.AUTH_TEMP_TOKEN
diff --git a/apps/rbac/backends.py b/apps/rbac/backends.py
index aac44da36..4e91e818d 100644
--- a/apps/rbac/backends.py
+++ b/apps/rbac/backends.py
@@ -9,7 +9,7 @@ class RBACBackend(JMSBaseAuthBackend):
def is_enabled():
return True
- def authenticate(self, *args, **kwargs):
+ def authenticate(self):
return None
def username_allow_authenticate(self, username):