From 9d201bbf98617d1464669f833b49d615da14d190 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Fri, 1 Nov 2019 20:34:56 +0800
Subject: [PATCH] =?UTF-8?q?[Update]=20=E4=BF=AE=E6=94=B9=20token=20api?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/api/auth.py    |   4 +-
 apps/authentication/api/token.py   | 133 ++++++++++++++++++++---------
 apps/authentication/const.py       |  10 ---
 apps/authentication/errors.py      |  41 +++++++++
 apps/authentication/utils.py       |  10 +--
 apps/authentication/views/login.py |   8 +-
 6 files changed, 144 insertions(+), 62 deletions(-)
 delete mode 100644 apps/authentication/const.py
 create mode 100644 apps/authentication/errors.py

diff --git a/apps/authentication/api/auth.py b/apps/authentication/api/auth.py
index 8b1ab69c0..c7c78422a 100644
--- a/apps/authentication/api/auth.py
+++ b/apps/authentication/api/auth.py
@@ -22,7 +22,7 @@ from users.utils import (
     check_otp_code, increase_login_failed_count,
     is_block_login, clean_failed_count
 )
-from .. import const
+from .. import errors
 from ..utils import check_user_valid
 from ..serializers import OtpVerifySerializer
 from ..signals import post_auth_success, post_auth_failed
@@ -174,7 +174,7 @@ class UserOtpAuthApi(RootOrgViewMixin, APIView):
                 status=401
             )
         if not check_otp_code(user.otp_secret_key, otp_code):
-            self.send_auth_signal(success=False, username=user.username, reason=const.mfa_failed)
+            self.send_auth_signal(success=False, username=user.username, reason=errors.mfa_failed)
             return Response({'msg': _('MFA certification failed')}, status=401)
         self.send_auth_signal(success=True, user=user)
         token, expired_at = user.create_bearer_token(request)
diff --git a/apps/authentication/api/token.py b/apps/authentication/api/token.py
index 8855ac1c9..e2d5b2a58 100644
--- a/apps/authentication/api/token.py
+++ b/apps/authentication/api/token.py
@@ -1,23 +1,20 @@
 # -*- coding: utf-8 -*-
 #
 
-import uuid
-
-from django.core.cache import cache
 from django.utils.translation import ugettext as _
 from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 from rest_framework.generics import CreateAPIView
-from drf_yasg.utils import swagger_auto_schema
 
-from common.utils import get_request_ip, get_logger
+from common.utils import get_request_ip, get_logger, get_object_or_none
 from users.utils import (
     check_otp_code, increase_login_failed_count,
     is_block_login, clean_failed_count
 )
+from users.models import User
 from ..utils import check_user_valid
 from ..signals import post_auth_success, post_auth_failed
-from .. import serializers
+from .. import serializers, errors
 
 
 logger = get_logger(__name__)
@@ -25,29 +22,41 @@ logger = get_logger(__name__)
 __all__ = ['TokenCreateApi']
 
 
-class AuthFailedError(Exception):
-    def __init__(self, msg, reason=None):
-        self.msg = msg
-        self.reason = reason
-
-
-class MFARequiredError(Exception):
-    pass
-
-
 class TokenCreateApi(CreateAPIView):
     permission_classes = (AllowAny,)
     serializer_class = serializers.BearerTokenSerializer
 
-    @staticmethod
-    def check_is_block(username, ip):
-        if is_block_login(username, ip):
-            msg = _("Log in frequently and try again later")
-            logger.warn(msg + ': ' + username + ':' + ip)
-            raise AuthFailedError(msg)
+    def check_session(self):
+        pass
 
-    def check_user_valid(self):
+    def get_request_ip(self):
+        ip = self.request.data.get('remote_addr', None)
+        ip = ip or get_request_ip(self.request)
+        return ip
+
+    def check_is_block(self):
+        username = self.request.data.get("username")
+        ip = self.get_request_ip()
+        if is_block_login(username, ip):
+            msg = errors.ip_blocked
+            logger.warn(msg + ': ' + username + ':' + ip)
+            raise errors.AuthFailedError(msg, 'blocked')
+
+    def get_user_from_session(self):
+        user_id = self.request.session["user_id"]
+        user = get_object_or_none(User, pk=user_id)
+        if not user:
+            error = "Not user in session: {}".format(user_id)
+            raise errors.AuthFailedError(error, 'session_error')
+        return user
+
+    def check_user_auth(self):
         request = self.request
+        if request.session.get("auth_password") and \
+                request.session.get('user_id'):
+            user = self.get_user_from_session()
+            return user
+        self.check_is_block()
         username = request.data.get('username', '')
         password = request.data.get('password', '')
         public_key = request.data.get('public_key', '')
@@ -55,34 +64,76 @@ class TokenCreateApi(CreateAPIView):
             username=username, password=password,
             public_key=public_key
         )
+        ip = self.get_request_ip()
         if not user:
-            raise AuthFailedError(msg)
+            raise errors.AuthFailedError(msg, error='auth_failed', username=username)
+        clean_failed_count(username, ip)
+        request.session['auth_password'] = 1
+        request.session['user_id'] = str(user.id)
         return user
 
+    def check_user_mfa_if_need(self, user):
+        if self.request.session.get('auth_mfa'):
+            return True
+        if not user.otp_enabled or not user.otp_secret_key:
+            return True
+        otp_code = self.request.data.get("otp_code")
+        if not otp_code:
+            raise errors.MFARequiredError()
+        if not check_otp_code(user.otp_secret_key, otp_code):
+            raise errors.AuthFailedError(
+                errors.mfa_failed, error='mfa_failed',
+                username=user.username,
+            )
+        return True
+
+    def check_user_login_confirm_if_need(self, user):
+        from orders.models import LoginConfirmOrder
+        confirm_setting = user.get_login_confirm_setting()
+        if self.request.session.get('auth_confirm') or not confirm_setting:
+            return
+        order = None
+        if self.request.session.get('auth_order_id'):
+            order_id = self.request.session['auth_order_id']
+            order = get_object_or_none(LoginConfirmOrder, pk=order_id)
+        if not order:
+            order = confirm_setting.create_confirm_order(self.request)
+            self.request.session['auth_order_id'] = str(order.id)
+
+        if order.status == "accepted":
+            return
+        elif order.status == "rejected":
+            raise errors.LoginConfirmRejectedError()
+        else:
+            raise errors.LoginConfirmWaitError()
+
     def create(self, request, *args, **kwargs):
-        username = self.request.data.get('username')
-        ip = self.request.data.get('remote_addr', None)
-        ip = ip or get_request_ip(self.request)
-        user = None
+        self.check_session()
+        # 如果认证没有过，检查账号密码
         try:
-            self.check_is_block(username, ip)
-            user = self.check_user_valid()
-            if user.otp_enabled:
-                raise MFARequiredError()
+            user = self.check_user_auth()
+            self.check_user_mfa_if_need(user)
+            self.check_user_login_confirm_if_need(user)
             self.send_auth_signal(success=True, user=user)
-            clean_failed_count(username, ip)
             resp = super().create(request, *args, **kwargs)
             return resp
-        except AuthFailedError as e:
-            increase_login_failed_count(username, ip)
-            self.send_auth_signal(success=False, user=user, username=username, reason=str(e))
-            return Response({'msg': str(e)}, status=401)
-        except MFARequiredError:
+        except errors.AuthFailedError as e:
+            if e.username:
+                increase_login_failed_count(e.username, self.get_request_ip())
+                self.send_auth_signal(
+                    success=False, username=e.username, reason=e.reason
+                )
+            return Response({'msg': e.reason, 'error': e.error}, status=401)
+        except errors.MFARequiredError:
             msg = _("MFA required")
-            seed = uuid.uuid4().hex
-            cache.set(seed, user.username, 300)
-            data = {'msg': msg, "choices": ["otp"], "req": seed}
+            data = {'msg': msg, "choices": ["otp"], "error": 'mfa_required'}
             return Response(data, status=300)
+        except errors.LoginConfirmRejectedError as e:
+            pass
+        except errors.LoginConfirmWaitError as e:
+            pass
+        except errors.LoginConfirmRequiredError as e:
+            pass
 
     def send_auth_signal(self, success=True, user=None, username='', reason=''):
         if success:
diff --git a/apps/authentication/const.py b/apps/authentication/const.py
deleted file mode 100644
index 0d1f3de7b..000000000
--- a/apps/authentication/const.py
+++ /dev/null
@@ -1,10 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from django.utils.translation import ugettext_lazy as _
-
-
-password_failed = _('Username/password check failed')
-mfa_failed = _('MFA authentication failed')
-user_not_exist = _("Username does not exist")
-password_expired = _("Password expired")
-user_invalid = _('Disabled or expired')
diff --git a/apps/authentication/errors.py b/apps/authentication/errors.py
new file mode 100644
index 000000000..4b104625d
--- /dev/null
+++ b/apps/authentication/errors.py
@@ -0,0 +1,41 @@
+# -*- coding: utf-8 -*-
+#
+from django.utils.translation import ugettext_lazy as _
+
+password_failed = _('Username/password check failed')
+mfa_failed = _('MFA authentication failed')
+user_not_exist = _("Username does not exist")
+password_expired = _("Password expired")
+user_invalid = _('Disabled or expired')
+ip_blocked = _("Log in frequently and try again later")
+
+mfa_required = _("MFA required")
+login_confirm_required = _("Login confirm required")
+login_confirm_wait = _("Wait login confirm")
+
+
+class AuthFailedError(Exception):
+    def __init__(self, reason, error=None, username=None):
+        self.reason = reason
+        self.error = error
+        self.username = username
+
+
+class MFARequiredError(Exception):
+    reason = mfa_required
+    error = 'mfa_required'
+
+
+class LoginConfirmRequiredError(Exception):
+    reason = login_confirm_required
+    error = 'login_confirm_required'
+
+
+class LoginConfirmWaitError(Exception):
+    reason = login_confirm_wait
+    error = 'login_confirm_wait'
+
+
+class LoginConfirmRejectedError(Exception):
+    reason = login_confirm_wait
+    error = 'login_confirm_rejected'
diff --git a/apps/authentication/utils.py b/apps/authentication/utils.py
index 85b486bf3..c96878e38 100644
--- a/apps/authentication/utils.py
+++ b/apps/authentication/utils.py
@@ -8,7 +8,7 @@ from common.utils import (
     get_ip_city, get_object_or_none, validate_ip, get_request_ip
 )
 from users.models import User
-from . import const
+from . import errors
 
 
 def write_login_log(*args, **kwargs):
@@ -38,11 +38,11 @@ def check_user_valid(**kwargs):
         user = None
 
     if user is None:
-        return None, const.user_not_exist
+        return None, errors.user_not_exist
     elif not user.is_valid:
-        return None, const.user_invalid
+        return None, errors.user_invalid
     elif user.password_has_expired:
-        return None, const.password_expired
+        return None, errors.password_expired
 
     if password and authenticate(username=username, password=password):
         return user, ''
@@ -55,4 +55,4 @@ def check_user_valid(**kwargs):
         elif len(public_key_saved) > 1:
             if public_key == public_key_saved[1]:
                 return user, ''
-    return None, const.password_failed
+    return None, errors.password_failed
diff --git a/apps/authentication/views/login.py b/apps/authentication/views/login.py
index 761e656a1..f8e5984b1 100644
--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@@ -27,7 +27,7 @@ from users.utils import (
 from ..models import LoginConfirmSetting
 from ..signals import post_auth_success, post_auth_failed
 from .. import forms
-from .. import const
+from .. import errors
 
 
 __all__ = [
@@ -83,7 +83,7 @@ class UserLoginView(FormView):
         user = form.get_user()
         # user password expired
         if user.password_has_expired:
-            reason = const.password_expired
+            reason = errors.password_expired
             self.send_auth_signal(success=False, username=user.username, reason=reason)
             return self.render_to_response(self.get_context_data(password_expired=True))
 
@@ -99,7 +99,7 @@ class UserLoginView(FormView):
         # write login failed log
         username = form.cleaned_data.get('username')
         exist = User.objects.filter(username=username).first()
-        reason = const.password_failed if exist else const.user_not_exist
+        reason = errors.password_failed if exist else errors.user_not_exist
         # limit user login failed count
         ip = get_request_ip(self.request)
         increase_login_failed_count(username, ip)
@@ -150,7 +150,7 @@ class UserLoginOtpView(FormView):
         else:
             self.send_auth_signal(
                 success=False, username=user.username,
-                reason=const.mfa_failed
+                reason=errors.mfa_failed
             )
             form.add_error(
                 'otp_code', _('MFA code invalid, or ntp sync server time')