From af53bda90f293142ce9bd236aeb135350008799a Mon Sep 17 00:00:00 2001 From: Bai Date: Tue, 12 May 2026 17:35:17 +0800 Subject: [PATCH] fix: delete HmacSignAuthMiddleware --- apps/jumpserver/middleware.py | 67 -------------------------------- apps/jumpserver/settings/base.py | 1 - 2 files changed, 68 deletions(-) diff --git a/apps/jumpserver/middleware.py b/apps/jumpserver/middleware.py index a000df1f6..54bb886dd 100644 --- a/apps/jumpserver/middleware.py +++ b/apps/jumpserver/middleware.py @@ -203,70 +203,3 @@ class CsrfCheckMiddleware(CsrfViewMiddleware): request._dont_enforce_csrf_checks = True return True return super()._origin_verified(request) - - -class HmacSignAuthMiddleware: - """ - 在响应中写入客户端可读会话状态 Cookie(名:jms_session_sign), - 供边缘代理、网关或安全设备(含 WAF)基于 Cookie 做访问策略,不特指某一种产品。 - - 取值约定(均为非空,便于写规则): - - 已登录::|,HMAC 与 text_hmac_sha256 一致(消息会先 strip/lower) - - 有会话 Cookie 但未认证:expired(含会话过期、登出后会话仍存在、或仅匿名会话等) - - 请求未带会话 Cookie:unauth(首次访问等) - """ - - SIGN_COOKIE_NAME = 'jms_session_sign' - MARKER_UNAUTH = 'unauth' - MARKER_EXPIRED = 'expired' - - def __init__(self, get_response): - self.get_response = get_response - enabled = os.getenv("HMAC_SIGN_AUTH_ENABLED", "").lower() in ("1", "true", "yes") - key_file_path = os.path.join(settings.PROJECT_DIR, "data", "unshare", "hmac.key") - - if os.path.isfile(key_file_path): - with open(key_file_path, 'r') as f: - self.hmac_sign_key = f.read().strip() - else: - self.hmac_sign_key = os.getenv("HMAC_SIGN_KEY", "") - - if not enabled or not self.hmac_sign_key: - raise MiddlewareNotUsed - - def __call__(self, request): - response = self.get_response(request) - return self._set_session_sign_cookie(request, response) - - def _set_session_sign_cookie(self, request, response): - session_cookie_name = settings.SESSION_COOKIE_NAME - has_session_cookie = bool(request.COOKIES.get(session_cookie_name)) - - if request.user.is_authenticated: - session_id = request.session.session_key - # request.user 可能为 IntegrationApplication对象 - username = getattr(request.user, 'username', None) or getattr(request.user, 'name', None) - sign_data = f'{username}|{session_id}' - elif request.path == '/api/v1/authentication/tokens/' \ - and response.status_code == 201: - user = response.data.get('user') - if not user: - sign_data = '' - else: - sign_data = f'{user["username"]}:{user["id"]}' - else: - sign_data = '' - - if sign_data: - signature = text_hmac_sha256(sign_data, self.hmac_sign_key) - value = f'{signature}:{sign_data}' - elif has_session_cookie: - value = self.MARKER_EXPIRED - else: - value = self.MARKER_UNAUTH - - response.set_cookie( - self.SIGN_COOKIE_NAME, - value, - ) - return response \ No newline at end of file diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py index 2a31207b4..0e148c2ce 100644 --- a/apps/jumpserver/settings/base.py +++ b/apps/jumpserver/settings/base.py @@ -190,7 +190,6 @@ MIDDLEWARE = [ 'authentication.middleware.MFAMiddleware', 'authentication.middleware.ThirdPartyLoginMiddleware', 'authentication.middleware.SessionCookieMiddleware', - 'jumpserver.middleware.HmacSignAuthMiddleware', 'simple_history.middleware.HistoryRequestMiddleware', 'jumpserver.middleware.SafeRedirectMiddleware', *POST_CUSTOM_MIDDLEWARES,