Revert "Revert "perf: Unify external TLS verification via VERIFY_EXTERNAL_SSL""

This reverts commit aadc072067.

apps/common/sdk/sms/custom.py

@@ -1,15 +1,12 @@
-import requests
-
 from collections import OrderedDict
 
+import requests
 from django.conf import settings
 
-from common.utils import get_logger
 from common.exceptions import JMSException
-
+from common.utils import get_logger
 from .base import BaseSMSClient
 
-
 logger = get_logger(__file__)
 
 
@@ -38,7 +35,7 @@ class CustomSMS(BaseSMSClient):
             action = requests.get
             kwargs = {'params': params}
         try:
-            response = action(url=settings.CUSTOM_SMS_URL, verify=False, **kwargs)
+            response = action(url=settings.CUSTOM_SMS_URL, verify=settings.VERIFY_EXTERNAL_SSL, **kwargs)
             response.raise_for_status()
         except Exception as exc:
             logger.error('Custom sms error: {}'.format(exc))

apps/jumpserver/conf.py

@@ -9,6 +9,7 @@
 """
 import base64
 import copy
+import errno
 import json
 import logging
 import os
@@ -227,6 +228,7 @@ class Config(dict):
 
         # Security
         'X_FRAME_OPTIONS': 'SAMEORIGIN',
+        'VERIFY_EXTERNAL_SSL': True,
 
         # 未使用的配置
         'CAPTCHA_TEST_MODE': None,

apps/jumpserver/rewriting/exchange.py

@@ -1,28 +1,26 @@
 import urllib3
-
-from urllib3.exceptions import InsecureRequestWarning
-
+from django.conf import settings
 from django.core.mail.backends.base import BaseEmailBackend
 from django.core.mail.message import sanitize_address
-from django.conf import settings
 from exchangelib import Account, Credentials, Configuration, DELEGATE
-from exchangelib import Mailbox, Message, HTMLBody, FileAttachment
 from exchangelib import BaseProtocol, NoVerifyHTTPAdapter
+from exchangelib import Mailbox, Message, HTMLBody, FileAttachment
 from exchangelib.errors import TransportError
+from urllib3.exceptions import InsecureRequestWarning
 
-
-urllib3.disable_warnings(InsecureRequestWarning)
-BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter
+if not settings.VERIFY_EXTERNAL_SSL:
+    urllib3.disable_warnings(InsecureRequestWarning)
+    BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter
 
 
 class EmailBackend(BaseEmailBackend):
     def __init__(
-        self,
-        service_endpoint=None,
-        username=None,
-        password=None,
-        fail_silently=False,
-        **kwargs,
+            self,
+            service_endpoint=None,
+            username=None,
+            password=None,
+            fail_silently=False,
+            **kwargs,
     ):
         super().__init__(fail_silently=fail_silently)
         self.service_endpoint = service_endpoint or settings.EMAIL_HOST

apps/jumpserver/settings/auth.py

@@ -20,8 +20,11 @@ AUTH_LDAP_SEARCH_FILTER = CONFIG.AUTH_LDAP_SEARCH_FILTER
 AUTH_LDAP_START_TLS = CONFIG.AUTH_LDAP_START_TLS
 AUTH_LDAP_USER_ATTR_MAP = CONFIG.AUTH_LDAP_USER_ATTR_MAP
 AUTH_LDAP_USER_QUERY_FIELD = 'username'
+LDAP_TLS_REQUIRE_CERT = (
+    ldap.OPT_X_TLS_DEMAND if CONFIG.VERIFY_EXTERNAL_SSL else ldap.OPT_X_TLS_NEVER
+)
 AUTH_LDAP_GLOBAL_OPTIONS = {
-    ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER,
+    ldap.OPT_X_TLS_REQUIRE_CERT: LDAP_TLS_REQUIRE_CERT,
     ldap.OPT_REFERRALS: CONFIG.AUTH_LDAP_OPTIONS_OPT_REFERRALS
 }
 LDAP_CACERT_FILE = os.path.join(PROJECT_DIR, "data", "certs", "ldap_ca.pem")
@@ -65,7 +68,7 @@ AUTH_LDAP_HA_START_TLS = CONFIG.AUTH_LDAP_HA_START_TLS
 AUTH_LDAP_HA_USER_ATTR_MAP = CONFIG.AUTH_LDAP_HA_USER_ATTR_MAP
 AUTH_LDAP_HA_USER_QUERY_FIELD = 'username'
 AUTH_LDAP_HA_GLOBAL_OPTIONS = {
-    ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER,
+    ldap.OPT_X_TLS_REQUIRE_CERT: LDAP_TLS_REQUIRE_CERT,
     ldap.OPT_REFERRALS: CONFIG.AUTH_LDAP_HA_OPTIONS_OPT_REFERRALS
 }
 LDAP_HA_CACERT_FILE = os.path.join(PROJECT_DIR, "data", "certs", "ldap_ha_ca.pem")
@@ -146,7 +149,7 @@ RADIUS_ATTRIBUTES = CONFIG.RADIUS_ATTRIBUTES
 # CAS Auth
 AUTH_CAS = CONFIG.AUTH_CAS
 CAS_SERVER_URL = CONFIG.CAS_SERVER_URL
-CAS_VERIFY_SSL_CERTIFICATE = False
+CAS_VERIFY_SSL_CERTIFICATE = CONFIG.VERIFY_EXTERNAL_SSL
 CAS_LOGIN_URL_NAME = "authentication:cas:cas-login"
 CAS_LOGOUT_URL_NAME = "authentication:cas:cas-logout"
 CAS_LOGIN_MSG = None

apps/jumpserver/settings/base.py

@@ -363,6 +363,7 @@ FILE_UPLOAD_PERMISSIONS = 0o644
 FILE_UPLOAD_DIRECTORY_PERMISSIONS = 0o755
 
 X_FRAME_OPTIONS = CONFIG.X_FRAME_OPTIONS
+VERIFY_EXTERNAL_SSL = CONFIG.VERIFY_EXTERNAL_SSL
 
 # Cache use redis
 REDIS_SSL_KEY = exist_or_default(os.path.join(CERTS_DIR, 'redis_client.key'), None)