mirror of
https://github.com/jumpserver/jumpserver.git
synced 2026-07-02 07:01:30 +00:00
fix: delete HmacSignAuthMiddleware
This commit is contained in:
@@ -203,70 +203,3 @@ class CsrfCheckMiddleware(CsrfViewMiddleware):
|
||||
request._dont_enforce_csrf_checks = True
|
||||
return True
|
||||
return super()._origin_verified(request)
|
||||
|
||||
|
||||
class HmacSignAuthMiddleware:
|
||||
"""
|
||||
在响应中写入客户端可读会话状态 Cookie(名:jms_session_sign),
|
||||
供边缘代理、网关或安全设备(含 WAF)基于 Cookie 做访问策略,不特指某一种产品。
|
||||
|
||||
取值约定(均为非空,便于写规则):
|
||||
- 已登录:<hex_hmac>:<username>|<session_id>,HMAC 与 text_hmac_sha256 一致(消息会先 strip/lower)
|
||||
- 有会话 Cookie 但未认证:expired(含会话过期、登出后会话仍存在、或仅匿名会话等)
|
||||
- 请求未带会话 Cookie:unauth(首次访问等)
|
||||
"""
|
||||
|
||||
SIGN_COOKIE_NAME = 'jms_session_sign'
|
||||
MARKER_UNAUTH = 'unauth'
|
||||
MARKER_EXPIRED = 'expired'
|
||||
|
||||
def __init__(self, get_response):
|
||||
self.get_response = get_response
|
||||
enabled = os.getenv("HMAC_SIGN_AUTH_ENABLED", "").lower() in ("1", "true", "yes")
|
||||
key_file_path = os.path.join(settings.PROJECT_DIR, "data", "unshare", "hmac.key")
|
||||
|
||||
if os.path.isfile(key_file_path):
|
||||
with open(key_file_path, 'r') as f:
|
||||
self.hmac_sign_key = f.read().strip()
|
||||
else:
|
||||
self.hmac_sign_key = os.getenv("HMAC_SIGN_KEY", "")
|
||||
|
||||
if not enabled or not self.hmac_sign_key:
|
||||
raise MiddlewareNotUsed
|
||||
|
||||
def __call__(self, request):
|
||||
response = self.get_response(request)
|
||||
return self._set_session_sign_cookie(request, response)
|
||||
|
||||
def _set_session_sign_cookie(self, request, response):
|
||||
session_cookie_name = settings.SESSION_COOKIE_NAME
|
||||
has_session_cookie = bool(request.COOKIES.get(session_cookie_name))
|
||||
|
||||
if request.user.is_authenticated:
|
||||
session_id = request.session.session_key
|
||||
# request.user 可能为 IntegrationApplication对象
|
||||
username = getattr(request.user, 'username', None) or getattr(request.user, 'name', None)
|
||||
sign_data = f'{username}|{session_id}'
|
||||
elif request.path == '/api/v1/authentication/tokens/' \
|
||||
and response.status_code == 201:
|
||||
user = response.data.get('user')
|
||||
if not user:
|
||||
sign_data = ''
|
||||
else:
|
||||
sign_data = f'{user["username"]}:{user["id"]}'
|
||||
else:
|
||||
sign_data = ''
|
||||
|
||||
if sign_data:
|
||||
signature = text_hmac_sha256(sign_data, self.hmac_sign_key)
|
||||
value = f'{signature}:{sign_data}'
|
||||
elif has_session_cookie:
|
||||
value = self.MARKER_EXPIRED
|
||||
else:
|
||||
value = self.MARKER_UNAUTH
|
||||
|
||||
response.set_cookie(
|
||||
self.SIGN_COOKIE_NAME,
|
||||
value,
|
||||
)
|
||||
return response
|
||||
@@ -190,7 +190,6 @@ MIDDLEWARE = [
|
||||
'authentication.middleware.MFAMiddleware',
|
||||
'authentication.middleware.ThirdPartyLoginMiddleware',
|
||||
'authentication.middleware.SessionCookieMiddleware',
|
||||
'jumpserver.middleware.HmacSignAuthMiddleware',
|
||||
'simple_history.middleware.HistoryRequestMiddleware',
|
||||
'jumpserver.middleware.SafeRedirectMiddleware',
|
||||
*POST_CUSTOM_MIDDLEWARES,
|
||||
|
||||
Reference in New Issue
Block a user