From bb1349e962132deb67f130995a6ed7c106e0ddf0 Mon Sep 17 00:00:00 2001 From: ibuler Date: Mon, 18 Nov 2019 18:12:03 +0800 Subject: [PATCH] =?UTF-8?q?[Update]=20=E4=BF=AE=E6=94=B9MFA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/authentication/api/mfa.py | 4 ++-- apps/authentication/backends/radius.py | 17 ----------------- apps/authentication/errors.py | 3 +-- apps/authentication/mixins.py | 2 +- apps/authentication/models.py | 2 +- apps/authentication/views/mfa.py | 2 +- apps/users/api/user.py | 4 ++-- apps/users/forms.py | 4 ++-- apps/users/models/user.py | 16 ++++++++++++---- apps/users/templates/users/user_detail.html | 9 +++++---- apps/users/templates/users/user_profile.html | 4 ++-- 11 files changed, 29 insertions(+), 38 deletions(-) diff --git a/apps/authentication/api/mfa.py b/apps/authentication/api/mfa.py index d55a238d2..cc4f2ab6b 100644 --- a/apps/authentication/api/mfa.py +++ b/apps/authentication/api/mfa.py @@ -24,7 +24,7 @@ class MFAChallengeApi(AuthMixin, CreateAPIView): try: user = self.get_user_from_session() code = serializer.validated_data.get('code') - valid = user.check_otp(code) + valid = user.check_mfa(code) if not valid: self.request.session['auth_mfa'] = '' raise errors.MFAFailedError( @@ -52,7 +52,7 @@ class UserOtpVerifyApi(CreateAPIView): serializer.is_valid(raise_exception=True) code = serializer.validated_data["code"] - if request.user.check_otp(code): + if request.user.check_mfa(code): request.session["MFA_VERIFY_TIME"] = int(time.time()) return Response({"ok": "1"}) else: diff --git a/apps/authentication/backends/radius.py b/apps/authentication/backends/radius.py index 47f369205..2b193bbd0 100644 --- a/apps/authentication/backends/radius.py +++ b/apps/authentication/backends/radius.py @@ -27,23 +27,6 @@ class CreateUserMixin: user.save() return user - def _get_auth_packet(self, username, password, client): - """ - Get the pyrad authentication packet for the username/password and the - given pyrad client. - """ - pkt = client.CreateAuthPacket(code=AccessRequest, - User_Name=username) - if settings.CONFIG.RADIUS_ENCRYPT_PASSWORD: - password = pkt.PwCrypt(password) - else: - password = password - pkt["User-Password"] = password - pkt["NAS-Identifier"] = 'django-radius' - for key, val in list(getattr(settings, 'RADIUS_ATTRIBUTES', {}).items()): - pkt[key] = val - return pkt - class RadiusBackend(CreateUserMixin, RADIUSBackend): pass diff --git a/apps/authentication/errors.py b/apps/authentication/errors.py index 9df4ad1f7..9054568d8 100644 --- a/apps/authentication/errors.py +++ b/apps/authentication/errors.py @@ -109,8 +109,7 @@ class CredentialError(AuthFailedNeedLogMixin, AuthFailedNeedBlockMixin, AuthFail class MFAFailedError(AuthFailedNeedLogMixin, AuthFailedError): - reason = reason_mfa_failed - error = 'mfa_failed' + error = reason_mfa_failed msg = mfa_failed_msg def __init__(self, username, request): diff --git a/apps/authentication/mixins.py b/apps/authentication/mixins.py index bb488791f..499625ae2 100644 --- a/apps/authentication/mixins.py +++ b/apps/authentication/mixins.py @@ -97,7 +97,7 @@ class AuthMixin: def check_user_mfa(self, code): user = self.get_user_from_session() - ok = user.check_otp(code) + ok = user.check_mfa(code) if ok: self.request.session['auth_mfa'] = 1 self.request.session['auth_mfa_time'] = time.time() diff --git a/apps/authentication/models.py b/apps/authentication/models.py index e8d4b6114..6a60b3432 100644 --- a/apps/authentication/models.py +++ b/apps/authentication/models.py @@ -50,7 +50,7 @@ class LoginConfirmSetting(CommonModelMixin): def create_confirm_ticket(self, request=None): from tickets.models import Ticket - title = '[' + __('Login confirm') + ']: {}'.format(self.user) + title = _('Login confirm') + '{}'.format(self.user) if request: remote_addr = get_request_ip(request) city = get_ip_city(remote_addr) diff --git a/apps/authentication/views/mfa.py b/apps/authentication/views/mfa.py index c143601cb..57d6751da 100644 --- a/apps/authentication/views/mfa.py +++ b/apps/authentication/views/mfa.py @@ -20,6 +20,6 @@ class UserLoginOtpView(mixins.AuthMixin, FormView): self.check_user_mfa(otp_code) return redirect_to_guard_view() except errors.MFAFailedError as e: - form.add_error('otp_code', e.reason) + form.add_error('otp_code', e.msg) return super().form_invalid(form) diff --git a/apps/users/api/user.py b/apps/users/api/user.py index 11f82a764..1c31df292 100644 --- a/apps/users/api/user.py +++ b/apps/users/api/user.py @@ -172,8 +172,8 @@ class UserResetOTPApi(UserQuerysetMixin, generics.RetrieveAPIView): if user == request.user: msg = _("Could not reset self otp, use profile reset instead") return Response({"error": msg}, status=401) - if user.mfa_enabled and user.otp_secret_key: - user.otp_secret_key = '' + if user.mfa_enabled: + user.reset_mfa() user.save() logout(request) return Response({"msg": "success"}) diff --git a/apps/users/forms.py b/apps/users/forms.py index dd60c48be..6b360fb71 100644 --- a/apps/users/forms.py +++ b/apps/users/forms.py @@ -158,8 +158,8 @@ class UserUpdateForm(UserCreateUpdateFormMixin): class UserProfileForm(forms.ModelForm): - username = forms.CharField(disabled=True) - name = forms.CharField(disabled=True) + username = forms.CharField(disabled=True, label=_("Username")) + name = forms.CharField(disabled=True, label=_("Name")) email = forms.CharField(disabled=True) class Meta: diff --git a/apps/users/models/user.py b/apps/users/models/user.py index 0a4935daf..d9bbfe74f 100644 --- a/apps/users/models/user.py +++ b/apps/users/models/user.py @@ -375,13 +375,17 @@ class MFAMixin: self.mfa_level = 0 self.otp_secret_key = None + def reset_mfa(self): + if self.mfa_is_otp(): + self.otp_secret_key = '' + @staticmethod def mfa_is_otp(): if settings.CONFIG.OTP_IN_RADIUS: return False return True - def check_otp_on_radius(self, code): + def check_radius(self, code): from authentication.backends.radius import RadiusBackend backend = RadiusBackend() user = backend.authenticate(None, username=self.username, password=code) @@ -391,13 +395,17 @@ class MFAMixin: def check_otp(self, code): from ..utils import check_otp_code + return check_otp_code(self.otp_secret_key, code) + + def check_mfa(self, code): if settings.CONFIG.OTP_IN_RADIUS: - return self.check_otp_on_radius(code) + return self.check_radius(code) else: - return check_otp_code(self.otp_secret_key, code) + return self.check_otp(code) def mfa_enabled_but_not_set(self): - if self.mfa_enabled and self.mfa_is_otp() and not self.otp_secret_key: + if self.mfa_enabled and \ + self.mfa_is_otp() and not self.otp_secret_key: return True return False diff --git a/apps/users/templates/users/user_detail.html b/apps/users/templates/users/user_detail.html index 768fbdef2..c71d26241 100644 --- a/apps/users/templates/users/user_detail.html +++ b/apps/users/templates/users/user_detail.html @@ -7,7 +7,6 @@ - {% endblock %} {% block content %}
@@ -158,8 +157,9 @@ - {% trans 'Force enabled MFA' %}: - + {% trans 'Force enabled MFA' %}: + +
- + + {% trans 'Reset MFA' %}: diff --git a/apps/users/templates/users/user_profile.html b/apps/users/templates/users/user_profile.html index 437fe5314..314e86ac3 100644 --- a/apps/users/templates/users/user_profile.html +++ b/apps/users/templates/users/user_profile.html @@ -158,7 +158,7 @@ {% trans 'Disable' %} {% else %} @@ -183,7 +183,7 @@ {% endif %} - {% if request.user.mfa_enabled and request.user.otp_secret_key %} + {% if request.user.mfa_enabled %} {% trans 'Update MFA' %}: