Merge branch 'dev' into pr@dev@change_import (#11815)

* perf: 修改获取 ip

* perf: 修改导入

---------

Co-authored-by: ibuler <ibuler@qq.com>

apps/authentication/api/access_key.py

@@ -5,8 +5,8 @@ from django.utils.translation import gettext as _
 from rest_framework import serializers
 from rest_framework.response import Response
 
+from authentication.permissions import UserConfirmation
 from common.api import JMSModelViewSet
-from common.permissions import UserConfirmation
 from rbac.permissions import RBACPermission
 from ..const import ConfirmType
 from ..serializers import AccessKeySerializer

apps/authentication/api/confirm.py

@@ -7,7 +7,8 @@ from rest_framework import status
 from rest_framework.generics import RetrieveAPIView, CreateAPIView
 from rest_framework.response import Response
 
-from common.permissions import IsValidUser, UserConfirmation
+from authentication.permissions import UserConfirmation
+from common.permissions import IsValidUser
 from ..const import ConfirmType
 from ..serializers import ConfirmSerializer
 

apps/authentication/api/dingtalk.py

@@ -4,8 +4,9 @@ from rest_framework.views import APIView
 
 from authentication import errors
 from authentication.const import ConfirmType
+from authentication.permissions import UserConfirmation
 from common.api import RoleUserMixin, RoleAdminMixin
-from common.permissions import UserConfirmation, IsValidUser
+from common.permissions import IsValidUser
 from common.utils import get_logger
 from users.models import User
 

apps/authentication/api/feishu.py

@@ -4,12 +4,13 @@ from rest_framework.views import APIView
 
 from authentication import errors
 from authentication.const import ConfirmType
+from authentication.permissions import UserConfirmation
 from common.api import RoleUserMixin, RoleAdminMixin
-from common.permissions import UserConfirmation, IsValidUser
+from common.permissions import IsValidUser
 from common.utils import get_logger
 from users.models import User
 
-logger = get_logger(__file__)
+logger = get_logger(__name__)
 
 
 class FeiShuQRUnBindBase(APIView):

apps/authentication/api/wecom.py

@@ -4,8 +4,9 @@ from rest_framework.views import APIView
 
 from authentication import errors
 from authentication.const import ConfirmType
+from authentication.permissions import UserConfirmation
 from common.api import RoleUserMixin, RoleAdminMixin
-from common.permissions import UserConfirmation, IsValidUser
+from common.permissions import IsValidUser
 from common.utils import get_logger
 from users.models import User
 

apps/authentication/permissions.py

@@ -0,0 +1,58 @@
+import time
+
+from django.conf import settings
+from rest_framework import permissions
+
+from authentication.const import ConfirmType
+from authentication.models import ConnectionToken
+from common.exceptions import UserConfirmRequired
+from common.permissions import IsValidUser
+from common.utils import get_object_or_none
+from orgs.utils import tmp_to_root_org
+
+
+class UserConfirmation(permissions.BasePermission):
+    ttl = 60 * 5
+    min_level = 1
+    confirm_type = 'relogin'
+
+    def has_permission(self, request, view):
+        if not settings.SECURITY_VIEW_AUTH_NEED_MFA:
+            return True
+
+        confirm_level = request.session.get('CONFIRM_LEVEL')
+        confirm_time = request.session.get('CONFIRM_TIME')
+        ttl = self.get_ttl()
+        if not confirm_level or not confirm_time or \
+                confirm_level < self.min_level or \
+                confirm_time < time.time() - ttl:
+            raise UserConfirmRequired(code=self.confirm_type)
+        return True
+
+    def get_ttl(self):
+        if self.confirm_type == ConfirmType.MFA:
+            ttl = settings.SECURITY_MFA_VERIFY_TTL
+        else:
+            ttl = self.ttl
+        return ttl
+
+    @classmethod
+    def require(cls, confirm_type=ConfirmType.RELOGIN, ttl=60 * 5):
+        min_level = ConfirmType.values.index(confirm_type) + 1
+        name = 'UserConfirmationLevel{}TTL{}'.format(min_level, ttl)
+        return type(name, (cls,), {'min_level': min_level, 'ttl': ttl, 'confirm_type': confirm_type})
+
+
+class IsValidUserOrConnectionToken(IsValidUser):
+    def has_permission(self, request, view):
+        return super().has_permission(request, view) \
+            or self.is_valid_connection_token(request)
+
+    @staticmethod
+    def is_valid_connection_token(request):
+        token_id = request.query_params.get('token')
+        if not token_id:
+            return False
+        with tmp_to_root_org():
+            token = get_object_or_none(ConnectionToken, id=token_id)
+        return token and token.is_valid

apps/authentication/views/dingtalk.py

@@ -13,7 +13,7 @@ from authentication import errors
 from authentication.const import ConfirmType
 from authentication.mixins import AuthMixin
 from authentication.notifications import OAuthBindMessage
-from common.permissions import UserConfirmation
+from authentication.permissions import UserConfirmation
 from common.sdk.im.dingtalk import URL, DingTalk
 from common.utils import get_logger
 from common.utils.common import get_request_ip

apps/authentication/views/feishu.py

@@ -11,7 +11,7 @@ from rest_framework.permissions import AllowAny, IsAuthenticated
 
 from authentication.const import ConfirmType
 from authentication.notifications import OAuthBindMessage
-from common.permissions import UserConfirmation
+from authentication.permissions import UserConfirmation
 from common.sdk.im.feishu import URL, FeiShu
 from common.utils import get_logger
 from common.utils.common import get_request_ip

apps/authentication/views/wecom.py

@@ -13,7 +13,7 @@ from authentication import errors
 from authentication.const import ConfirmType
 from authentication.mixins import AuthMixin
 from authentication.notifications import OAuthBindMessage
-from common.permissions import UserConfirmation
+from authentication.permissions import UserConfirmation
 from common.sdk.im.wecom import URL
 from common.sdk.im.wecom import WeCom
 from common.utils import get_logger