feat: user login acl (#6963)

* feat: user login acl * 添加分时登陆 * acl 部分还原 * 简化acl判断逻辑 Co-authored-by: feng626 <1304903146@qq.com> Co-authored-by: feng626 <57284900+feng626@users.noreply.github.com>
2025-09-04 17:01:09 +00:00 · 2021-10-20 17:56:59 +08:00
parent 9424929dde
commit 9acfd461b4
32 changed files with 325 additions and 206 deletions
--- a/apps/authentication/api/login_confirm.py
+++ b/apps/authentication/api/login_confirm.py
@@ -8,29 +8,12 @@ from django.shortcuts import get_object_or_404

 from common.utils import get_logger
 from common.permissions import IsOrgAdmin
-from ..models import LoginConfirmSetting
-from ..serializers import LoginConfirmSettingSerializer
 from .. import errors, mixins

-__all__ = ['LoginConfirmSettingUpdateApi', 'TicketStatusApi']
+__all__ = ['TicketStatusApi']
 logger = get_logger(__name__)


-class LoginConfirmSettingUpdateApi(UpdateAPIView):
-    permission_classes = (IsOrgAdmin,)
-    serializer_class = LoginConfirmSettingSerializer
-
-    def get_object(self):
-        from users.models import User
-        user_id = self.kwargs.get('user_id')
-        user = get_object_or_404(User, pk=user_id)
-        defaults = {'user': user}
-        s, created = LoginConfirmSetting.objects.get_or_create(
-            defaults, user=user,
-        )
-        return s
-
-
 class TicketStatusApi(mixins.AuthMixin, APIView):
    permission_classes = (AllowAny,)

--- a/apps/authentication/errors.py
+++ b/apps/authentication/errors.py
@@ -261,6 +261,13 @@ class LoginIPNotAllowed(ACLError):
        super().__init__(_("IP is not allowed"), **kwargs)


+class TimePeriodNotAllowed(ACLError):
+    def __init__(self, username, request, **kwargs):
+        self.username = username
+        self.request = request
+        super().__init__(_("Time Period is not allowed"), **kwargs)
+
+
 class LoginConfirmBaseError(NeedMoreInfoError):
    def __init__(self, ticket_id, **kwargs):
        self.ticket_id = ticket_id
--- a/apps/authentication/migrations/0005_delete_loginconfirmsetting.py
+++ b/apps/authentication/migrations/0005_delete_loginconfirmsetting.py
@@ -0,0 +1,16 @@
+# Generated by Django 3.1.12 on 2021-09-26 11:13
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('authentication', '0004_ssotoken'),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name='LoginConfirmSetting',
+        ),
+    ]
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@@ -17,9 +17,9 @@ from django.contrib.auth import (
 from django.shortcuts import reverse, redirect

 from common.utils import get_object_or_none, get_request_ip, get_logger, bulk_get, FlashMessageUtil
+from acls.models import LoginACL
 from users.models import User, MFAType
 from users.utils import LoginBlockUtil, MFABlockUtils
-from users.exceptions import MFANotEnabled
 from . import errors
 from .utils import rsa_decrypt, gen_key_pair
 from .signals import post_auth_success, post_auth_failed
@@ -247,10 +247,12 @@ class AuthMixin(PasswordEncryptionViewMixin):

    def _check_login_acl(self, user, ip):
        # ACL 限制用户登录
-        from acls.models import LoginACL
-        is_allowed = LoginACL.allow_user_to_login(user, ip)
+        is_allowed, limit_type = LoginACL.allow_user_to_login(user, ip)
        if not is_allowed:
-            raise errors.LoginIPNotAllowed(username=user.username, request=self.request)
+            if limit_type == 'ip':
+                raise errors.LoginIPNotAllowed(username=user.username, request=self.request)
+            elif limit_type == 'time':
+                raise errors.TimePeriodNotAllowed(username=user.username, request=self.request)

    def set_login_failed_mark(self):
        ip = self.get_request_ip()
@@ -463,10 +465,9 @@ class AuthMixin(PasswordEncryptionViewMixin):
            )

    def check_user_login_confirm_if_need(self, user):
-        if not settings.LOGIN_CONFIRM_ENABLE:
-            return
-        confirm_setting = user.get_login_confirm_setting()
-        if self.request.session.get('auth_confirm') or not confirm_setting:
+        ip = self.get_request_ip()
+        is_allowed, confirm_setting = LoginACL.allow_user_confirm_if_need(user, ip)
+        if self.request.session.get('auth_confirm') or not is_allowed:
            return
        self.get_ticket_or_create(confirm_setting)
        self.check_user_login_confirm()
--- a/apps/authentication/models.py
+++ b/apps/authentication/models.py
@@ -1,13 +1,10 @@
 import uuid

-from django.utils import timezone
 from django.utils.translation import ugettext_lazy as _
 from rest_framework.authtoken.models import Token
 from django.conf import settings

 from common.db import models
-from common.mixins.models import CommonModelMixin
-from common.utils import get_object_or_none, get_request_ip, get_ip_city


 class AccessKey(models.Model):
@@ -40,56 +37,6 @@ class PrivateToken(Token):
        verbose_name = _('Private Token')


-class LoginConfirmSetting(CommonModelMixin):
-    user = models.OneToOneField('users.User', on_delete=models.CASCADE, verbose_name=_("User"), related_name="login_confirm_setting")
-    reviewers = models.ManyToManyField('users.User', verbose_name=_("Reviewers"), related_name="review_login_confirm_settings", blank=True)
-    is_active = models.BooleanField(default=True, verbose_name=_("Is active"))
-
-    class Meta:
-        verbose_name = _('Login Confirm')
-
-    @classmethod
-    def get_user_confirm_setting(cls, user):
-        return get_object_or_none(cls, user=user)
-
-    @staticmethod
-    def construct_confirm_ticket_meta(request=None):
-        if request:
-            login_ip = get_request_ip(request)
-        else:
-            login_ip = ''
-        login_ip = login_ip or '0.0.0.0'
-        login_city = get_ip_city(login_ip)
-        login_datetime = timezone.now().strftime('%Y-%m-%d %H:%M:%S')
-        ticket_meta = {
-            'apply_login_ip': login_ip,
-            'apply_login_city': login_city,
-            'apply_login_datetime': login_datetime,
-        }
-        return ticket_meta
-
-    def create_confirm_ticket(self, request=None):
-        from tickets import const
-        from tickets.models import Ticket
-        from orgs.models import Organization
-        ticket_title = _('Login confirm') + ' {}'.format(self.user)
-        ticket_meta = self.construct_confirm_ticket_meta(request)
-        data = {
-            'title': ticket_title,
-            'type': const.TicketType.login_confirm.value,
-            'meta': ticket_meta,
-            'org_id': Organization.ROOT_ID,
-        }
-        ticket = Ticket.objects.create(**data)
-        ticket.create_process_map_and_node(self.reviewers.all())
-        ticket.open(self.user)
-        return ticket
-
-    def __str__(self):
-        reviewers = [u.username for u in self.reviewers.all()]
-        return _('{} need confirm by {}').format(self.user.username, reviewers)
-
-
 class SSOToken(models.JMSBaseModel):
    """
    类似腾讯企业邮的 [单点登录](https://exmail.qq.com/qy_mng_logic/doc#10036)
--- a/apps/authentication/serializers.py
+++ b/apps/authentication/serializers.py
@@ -10,12 +10,11 @@ from applications.models import Application
 from users.serializers import UserProfileSerializer
 from assets.serializers import ProtocolsField
 from perms.serializers.asset.permission import ActionsField
-from .models import AccessKey, LoginConfirmSetting
-
+from .models import AccessKey

 __all__ = [
    'AccessKeySerializer', 'OtpVerifySerializer', 'BearerTokenSerializer',
-    'MFAChallengeSerializer', 'LoginConfirmSettingSerializer', 'SSOTokenSerializer',
+    'MFAChallengeSerializer', 'SSOTokenSerializer',
    'ConnectionTokenSerializer', 'ConnectionTokenSecretSerializer',
    'PasswordVerifySerializer', 'MFASelectTypeSerializer',
 ]
@@ -92,13 +91,6 @@ class MFAChallengeSerializer(serializers.Serializer):
        pass


-class LoginConfirmSettingSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = LoginConfirmSetting
-        fields = ['id', 'user', 'reviewers', 'date_created', 'date_updated']
-        read_only_fields = ['date_created', 'date_updated']
-
-
 class SSOTokenSerializer(serializers.Serializer):
    username = serializers.CharField(write_only=True)
    login_url = serializers.CharField(read_only=True)
@@ -201,4 +193,3 @@ class ConnectionTokenSecretSerializer(serializers.Serializer):
    gateway = ConnectionTokenGatewaySerializer(read_only=True)
    actions = ActionsField()
    expired_at = serializers.IntegerField()
-
--- a/apps/authentication/urls/api_urls.py
+++ b/apps/authentication/urls/api_urls.py
@@ -31,7 +31,6 @@ urlpatterns = [
    path('sms/verify-code/send/', api.SendSMSVerifyCodeApi.as_view(), name='sms-verify-code-send'),
    path('password/verify/', api.UserPasswordVerifyApi.as_view(), name='user-password-verify'),
    path('login-confirm-ticket/status/', api.TicketStatusApi.as_view(), name='login-confirm-ticket-status'),
-    path('login-confirm-settings/<uuid:user_id>/', api.LoginConfirmSettingUpdateApi.as_view(), name='login-confirm-setting-update')
 ]

 urlpatterns += router.urls