diff --git a/apps/authentication/api/auth.py b/apps/authentication/api/auth.py index 0c7c1a16e..bca8e2144 100644 --- a/apps/authentication/api/auth.py +++ b/apps/authentication/api/auth.py @@ -24,8 +24,10 @@ from users.utils import ( ) from users.hands import Asset, SystemUser - logger = get_logger(__name__) +__all__ = [ + 'UserAuthApi', 'UserConnectionTokenApi', 'UserOtpAuthApi', +] class UserAuthApi(RootOrgViewMixin, APIView): @@ -146,29 +148,6 @@ class UserConnectionTokenApi(RootOrgViewMixin, APIView): return super().get_permissions() -class UserToken(APIView): - permission_classes = (AllowAny,) - - def post(self, request): - if not request.user.is_authenticated: - username = request.data.get('username', '') - email = request.data.get('email', '') - password = request.data.get('password', '') - public_key = request.data.get('public_key', '') - - user, msg = check_user_valid( - username=username, email=email, - password=password, public_key=public_key) - else: - user = request.user - msg = None - if user: - token = user.create_bearer_token(request) - return Response({'Token': token, 'Keyword': 'Bearer'}, status=200) - else: - return Response({'error': msg}, status=406) - - class UserOtpAuthApi(RootOrgViewMixin, APIView): permission_classes = (AllowAny,) serializer_class = UserSerializer diff --git a/apps/authentication/radius/__init__.py b/apps/authentication/backends/__init__.py similarity index 100% rename from apps/authentication/radius/__init__.py rename to apps/authentication/backends/__init__.py diff --git a/apps/authentication/authentication.py b/apps/authentication/backends/api.py similarity index 100% rename from apps/authentication/authentication.py rename to apps/authentication/backends/api.py diff --git a/apps/authentication/ldap/backends.py b/apps/authentication/backends/ldap.py similarity index 100% rename from apps/authentication/ldap/backends.py rename to apps/authentication/backends/ldap.py diff --git a/apps/authentication/backends/openid/__init__.py b/apps/authentication/backends/openid/__init__.py new file mode 100644 index 000000000..2deaf3cae --- /dev/null +++ b/apps/authentication/backends/openid/__init__.py @@ -0,0 +1,6 @@ +# -*- coding: utf-8 -*- +# + +from .backends import * +from .middleware import * +from .utils import * diff --git a/apps/authentication/openid/backends.py b/apps/authentication/backends/openid/backends.py similarity index 92% rename from apps/authentication/openid/backends.py rename to apps/authentication/backends/openid/backends.py index 15a758acc..b1fa1a9b7 100644 --- a/apps/authentication/openid/backends.py +++ b/apps/authentication/backends/openid/backends.py @@ -4,16 +4,19 @@ from django.contrib.auth import get_user_model from django.conf import settings -from . import client from common.utils import get_logger -from authentication.openid.models import OIDT_ACCESS_TOKEN +from .utils import new_client +from .models import OIDT_ACCESS_TOKEN UserModel = get_user_model() logger = get_logger(__file__) +client = new_client() -BACKEND_OPENID_AUTH_CODE = \ - 'authentication.openid.backends.OpenIDAuthorizationCodeBackend' + +__all__ = [ + 'OpenIDAuthorizationCodeBackend', 'OpenIDAuthorizationPasswordBackend', +] class BaseOpenIDAuthorizationBackend(object): diff --git a/apps/authentication/openid/middleware.py b/apps/authentication/backends/openid/middleware.py similarity index 82% rename from apps/authentication/openid/middleware.py rename to apps/authentication/backends/openid/middleware.py index 128b20984..ee9acb0a9 100644 --- a/apps/authentication/openid/middleware.py +++ b/apps/authentication/backends/openid/middleware.py @@ -6,12 +6,15 @@ from django.contrib.auth import logout from django.utils.deprecation import MiddlewareMixin from django.contrib.auth import BACKEND_SESSION_KEY -from . import client from common.utils import get_logger -from .backends import BACKEND_OPENID_AUTH_CODE -from authentication.openid.models import OIDT_ACCESS_TOKEN +from .utils import new_client +from .models import OIDT_ACCESS_TOKEN +BACKEND_OPENID_AUTH_CODE = \ + 'authentication.backends.openid.OpenIDAuthorizationCodeBackend' +client = new_client() logger = get_logger(__file__) +__all__ = ['OpenIDAuthenticationMiddleware'] class OpenIDAuthenticationMiddleware(MiddlewareMixin): diff --git a/apps/authentication/openid/models.py b/apps/authentication/backends/openid/models.py similarity index 99% rename from apps/authentication/openid/models.py rename to apps/authentication/backends/openid/models.py index e3c0a4842..456c25b62 100644 --- a/apps/authentication/openid/models.py +++ b/apps/authentication/backends/openid/models.py @@ -5,7 +5,8 @@ from django.db import transaction from django.contrib.auth import get_user_model from keycloak.realm import KeycloakRealm from keycloak.keycloak_openid import KeycloakOpenID -from ..signals import post_create_openid_user + +from .signals import post_create_openid_user OIDT_ACCESS_TOKEN = 'oidt_access_token' diff --git a/apps/authentication/backends/openid/signals.py b/apps/authentication/backends/openid/signals.py new file mode 100644 index 000000000..d5e57a005 --- /dev/null +++ b/apps/authentication/backends/openid/signals.py @@ -0,0 +1,5 @@ +from django.dispatch import Signal + + +post_create_openid_user = Signal(providing_args=('user',)) +post_openid_login_success = Signal(providing_args=('user', 'request')) diff --git a/apps/authentication/openid/tests.py b/apps/authentication/backends/openid/tests.py similarity index 100% rename from apps/authentication/openid/tests.py rename to apps/authentication/backends/openid/tests.py diff --git a/apps/authentication/backends/openid/urls.py b/apps/authentication/backends/openid/urls.py new file mode 100644 index 000000000..019529e12 --- /dev/null +++ b/apps/authentication/backends/openid/urls.py @@ -0,0 +1,11 @@ +# -*- coding: utf-8 -*- +# +from django.urls import path + +from . import views + +urlpatterns = [ + path('login/', views.OpenIDLoginView.as_view(), name='openid-login'), + path('login/complete/', views.OpenIDLoginCompleteView.as_view(), + name='openid-login-complete'), +] diff --git a/apps/authentication/openid/__init__.py b/apps/authentication/backends/openid/utils.py similarity index 94% rename from apps/authentication/openid/__init__.py rename to apps/authentication/backends/openid/utils.py index bc4c753ca..15160d224 100644 --- a/apps/authentication/openid/__init__.py +++ b/apps/authentication/backends/openid/utils.py @@ -4,6 +4,8 @@ from django.conf import settings from .models import Client +__all__ = ['new_client'] + def new_client(): """ @@ -15,6 +17,3 @@ def new_client(): client_id=settings.AUTH_OPENID_CLIENT_ID, client_secret=settings.AUTH_OPENID_CLIENT_SECRET ) - - -client = new_client() diff --git a/apps/authentication/views/openid.py b/apps/authentication/backends/openid/views.py similarity index 84% rename from apps/authentication/views/openid.py rename to apps/authentication/backends/openid/views.py index 612cf2c68..60e001434 100644 --- a/apps/authentication/views/openid.py +++ b/apps/authentication/backends/openid/views.py @@ -3,7 +3,6 @@ import logging -from django.urls import reverse from django.conf import settings from django.core.cache import cache from django.views.generic.base import RedirectView @@ -14,12 +13,12 @@ from django.http.response import ( HttpResponseRedirect ) -from ..openid import client -from ..openid.models import Nonce -from ..signals import post_auth_success +from .utils import new_client +from .models import Nonce +from .signals import post_openid_login_success logger = logging.getLogger(__name__) - +client = new_client() __all__ = ['OpenIDLoginView', 'OpenIDLoginCompleteView'] @@ -27,8 +26,8 @@ __all__ = ['OpenIDLoginView', 'OpenIDLoginCompleteView'] class OpenIDLoginView(RedirectView): def get_redirect_url(self, *args, **kwargs): - redirect_uri = settings.BASE_SITE_URL + \ - reverse("authentication:openid-login-complete") + # Todo: 待优化 + redirect_uri = settings.BASE_SITE_URL + settings.LOGIN_COMPLETE_URL nonce = Nonce( redirect_uri=redirect_uri, next_path=self.request.GET.get('next') @@ -72,6 +71,6 @@ class OpenIDLoginCompleteView(RedirectView): return HttpResponseBadRequest() login(self.request, user) - post_auth_success.send(sender=self.__class__, user=user, request=self.request) + post_openid_login_success.send(sender=self.__class__, user=user, request=self.request) return HttpResponseRedirect(nonce.next_path or '/') diff --git a/apps/authentication/radius/backends.py b/apps/authentication/backends/radius.py similarity index 100% rename from apps/authentication/radius/backends.py rename to apps/authentication/backends/radius.py diff --git a/apps/authentication/ldap/__init__.py b/apps/authentication/ldap/__init__.py deleted file mode 100644 index e69de29bb..000000000 diff --git a/apps/authentication/signals.py b/apps/authentication/signals.py index 5ba503550..0a305290c 100644 --- a/apps/authentication/signals.py +++ b/apps/authentication/signals.py @@ -1,6 +1,5 @@ from django.dispatch import Signal -post_create_openid_user = Signal(providing_args=('user',)) post_auth_success = Signal(providing_args=('user', 'request')) post_auth_failed = Signal(providing_args=('username', 'request', 'reason')) diff --git a/apps/authentication/signals_handlers.py b/apps/authentication/signals_handlers.py index 5f00c2b8d..a0732894f 100644 --- a/apps/authentication/signals_handlers.py +++ b/apps/authentication/signals_handlers.py @@ -6,11 +6,12 @@ from django.utils import timezone from django_auth_ldap.backend import populate_user from common.utils import get_request_ip -from .openid import client -from .tasks import write_login_log_async -from .signals import ( - post_create_openid_user, post_auth_success, post_auth_failed +from .backends.openid import new_client +from .backends.openid.signals import ( + post_create_openid_user, post_openid_login_success ) +from .tasks import write_login_log_async +from .signals import post_auth_success, post_auth_failed @receiver(user_logged_out) @@ -23,6 +24,7 @@ def on_user_logged_out(sender, request, user, **kwargs): 'redirect_uri': settings.BASE_SITE_URL }) + client = new_client() openid_logout_url = "%s?%s" % ( client.openid_connect_client.get_url( name='end_session_endpoint'), @@ -39,6 +41,11 @@ def on_post_create_openid_user(sender, user=None, **kwargs): user.save() +@receiver(post_openid_login_success) +def on_openid_login_success(sender, user=None, request=None, **kwargs): + post_auth_success.send(sender=sender, user=user, request=request) + + @receiver(populate_user) def on_ldap_create_user(sender, user, ldap_user, **kwargs): if user and user.name != 'admin': diff --git a/apps/authentication/urls/view_urls.py b/apps/authentication/urls/view_urls.py index 2b68a6f71..592a9dfb3 100644 --- a/apps/authentication/urls/view_urls.py +++ b/apps/authentication/urls/view_urls.py @@ -1,7 +1,7 @@ # coding:utf-8 # -from django.urls import path +from django.urls import path, include from .. import views @@ -9,9 +9,7 @@ app_name = 'authentication' urlpatterns = [ # openid - path('openid/login/', views.OpenIDLoginView.as_view(), name='openid-login'), - path('openid/login/complete/', - views.OpenIDLoginCompleteView.as_view(), name='openid-login-complete'), + path('openid/', include(('authentication.backends.openid.urls', 'authentication'), namespace='openid')), # login path('login/', views.UserLoginView.as_view(), name='login'), diff --git a/apps/authentication/views/__init__.py b/apps/authentication/views/__init__.py index b2659cbd7..5e7732adc 100644 --- a/apps/authentication/views/__init__.py +++ b/apps/authentication/views/__init__.py @@ -1,5 +1,4 @@ # -*- coding: utf-8 -*- # -from .openid import * from .login import * diff --git a/apps/jumpserver/settings.py b/apps/jumpserver/settings.py index 4c0dac0fa..0088bc35b 100644 --- a/apps/jumpserver/settings.py +++ b/apps/jumpserver/settings.py @@ -100,7 +100,7 @@ MIDDLEWARE = [ 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', - 'authentication.openid.middleware.OpenIDAuthenticationMiddleware', # openid + 'authentication.backends.openid.middleware.OpenIDAuthenticationMiddleware', 'jumpserver.middleware.TimezoneMiddleware', 'jumpserver.middleware.DemoMiddleware', 'jumpserver.middleware.RequestMiddleware', @@ -343,10 +343,10 @@ REST_FRAMEWORK = { ), 'DEFAULT_AUTHENTICATION_CLASSES': ( # 'rest_framework.authentication.BasicAuthentication', - 'authentication.authentication.AccessKeyAuthentication', - 'authentication.authentication.AccessTokenAuthentication', - 'authentication.authentication.PrivateTokenAuthentication', - 'authentication.authentication.SessionAuthentication', + 'authentication.backends.api.AccessKeyAuthentication', + 'authentication.backends.api.AccessTokenAuthentication', + 'authentication.backends.api.PrivateTokenAuthentication', + 'authentication.backends.api.SessionAuthentication', ), 'DEFAULT_FILTER_BACKENDS': ( 'django_filters.rest_framework.DjangoFilterBackend', @@ -409,12 +409,13 @@ AUTH_OPENID_REALM_NAME = CONFIG.AUTH_OPENID_REALM_NAME AUTH_OPENID_CLIENT_ID = CONFIG.AUTH_OPENID_CLIENT_ID AUTH_OPENID_CLIENT_SECRET = CONFIG.AUTH_OPENID_CLIENT_SECRET AUTH_OPENID_BACKENDS = [ - 'authentication.openid.backends.OpenIDAuthorizationPasswordBackend', - 'authentication.openid.backends.OpenIDAuthorizationCodeBackend', + 'authentication.backends.openid.backends.OpenIDAuthorizationPasswordBackend', + 'authentication.backends.openid.backends.OpenIDAuthorizationCodeBackend', ] if AUTH_OPENID: - LOGIN_URL = reverse_lazy("authentication:openid-login") + LOGIN_URL = reverse_lazy("authentication:openid:openid-login") + LOGIN_COMPLETE_URL = reverse_lazy("authentication:openid:openid-login-complete") AUTHENTICATION_BACKENDS.insert(0, AUTH_OPENID_BACKENDS[0]) AUTHENTICATION_BACKENDS.insert(0, AUTH_OPENID_BACKENDS[1]) diff --git a/apps/users/api/__init__.py b/apps/users/api/__init__.py index a85bf11bb..97e1f1088 100644 --- a/apps/users/api/__init__.py +++ b/apps/users/api/__init__.py @@ -2,5 +2,4 @@ # from .user import * -from .auth import * from .group import * diff --git a/apps/users/api/auth.py b/apps/users/api/auth.py deleted file mode 100644 index 3d98261b1..000000000 --- a/apps/users/api/auth.py +++ /dev/null @@ -1,3 +0,0 @@ -# -*- coding: utf-8 -*- -# - diff --git a/apps/users/urls/api_urls.py b/apps/users/urls/api_urls.py index 7c512a2a3..27d5fd5fa 100644 --- a/apps/users/urls/api_urls.py +++ b/apps/users/urls/api_urls.py @@ -5,6 +5,8 @@ from __future__ import absolute_import from django.urls import path from rest_framework_bulk.routes import BulkRouter + +from authentication import api as auth_api from .. import api app_name = 'users' @@ -15,6 +17,11 @@ router.register(r'groups', api.UserGroupViewSet, 'user-group') urlpatterns = [ + path('connection-token/', auth_api.UserConnectionTokenApi.as_view(), + name='connection-token'), + path('auth/', auth_api.UserAuthApi.as_view(), name='user-auth'), + path('otp/auth/', auth_api.UserOtpAuthApi.as_view(), name='user-otp-auth'), + path('profile/', api.UserProfileApi.as_view(), name='user-profile'), path('otp/reset/', api.UserResetOTPApi.as_view(), name='my-otp-reset'), path('users//otp/reset/', api.UserResetOTPApi.as_view(), name='user-reset-otp'),