[Bugfix] 解决下载导入模版时KeyError的问题（数据为空时） (#3017)

* [Bugfix] 解决下载导入模版时KeyError的问题（数据为空时）

* [Bugfix] 解决下载导入模版时KeyError的问题（数据为空时）2

* [Bugfix] 解决下载导入模版时KeyError的问题（数据为空时）3

* [Update] 解决LDAP用户禁用后，终端还可以登录成功一次的问题

* [Update] 解决LDAP用户禁用后，终端还可以登录成功一次的问题2

* [Update] LDAP AD Server可以通过UserAccountControl映射is_active字段

* [Update] 限制只有local用户可以更新ssh key

* [Update] 限制只有local用户可以更新ssh key 2

apps/authentication/backends/ldap.py

@@ -8,6 +8,7 @@ from django_auth_ldap.backend import _LDAPUser, LDAPBackend
 from django_auth_ldap.config import _LDAPConfig, LDAPSearch, LDAPSearchUnion
 
 from users.utils import construct_user_email
+from common.const import LDAP_AD_ACCOUNT_DISABLE
 
 logger = _LDAPConfig.get_logger()
 
@@ -17,6 +18,15 @@ class LDAPAuthorizationBackend(LDAPBackend):
     Override this class to override _LDAPUser to LDAPUser
     """
 
+    @staticmethod
+    def user_can_authenticate(user):
+        """
+        Reject users with is_active=False. Custom user models that don't have
+        that attribute are allowed.
+        """
+        is_valid = getattr(user, 'is_valid', None)
+        return is_valid or is_valid is None
+
     def authenticate(self, request=None, username=None, password=None, **kwargs):
         logger.info('Authentication LDAP backend')
         if not username:
@@ -25,34 +35,29 @@ class LDAPAuthorizationBackend(LDAPBackend):
         ldap_user = LDAPUser(self, username=username.strip(), request=request)
         user = self.authenticate_ldap_user(ldap_user, password)
         logger.info('Authenticate user: {}'.format(user))
-        return user
+        return user if self.user_can_authenticate(user) else None
 
     def get_user(self, user_id):
         user = None
-
         try:
             user = self.get_user_model().objects.get(pk=user_id)
             LDAPUser(self, user=user)  # This sets user.ldap_user
         except ObjectDoesNotExist:
             pass
-
         return user
 
     def get_group_permissions(self, user, obj=None):
         if not hasattr(user, 'ldap_user') and self.settings.AUTHORIZE_ALL_USERS:
             LDAPUser(self, user=user)  # This sets user.ldap_user
-
         if hasattr(user, 'ldap_user'):
             permissions = user.ldap_user.get_group_permissions()
         else:
             permissions = set()
-
         return permissions
 
     def populate_user(self, username):
         ldap_user = LDAPUser(self, username=username)
         user = ldap_user.populate_user()
-
         return user
 
 
@@ -91,13 +96,19 @@ class LDAPUser(_LDAPUser):
         for field, attr in self.settings.USER_ATTR_MAP.items():
             try:
                 value = self.attrs[attr][0]
+                if attr.lower() == 'useraccountcontrol' \
+                        and field == 'is_active' and value:
+                    value = int(value) & LDAP_AD_ACCOUNT_DISABLE \
+                            != LDAP_AD_ACCOUNT_DISABLE
             except LookupError:
                 logger.warning("{} does not have a value for the attribute {}".format(self.dn, attr))
             else:
                 if not hasattr(self._user, field):
                     continue
                 if isinstance(getattr(self._user, field), bool):
-                    value = value.lower() in ['true', '1']
+                    if isinstance(value, str):
+                        value = value.lower()
+                    value = value in ['true', '1', True]
                 setattr(self._user, field, value)
 
         email = getattr(self._user, 'email', '')

apps/authentication/backends/openid/backends.py

@@ -26,8 +26,8 @@ class BaseOpenIDAuthorizationBackend(object):
         Reject users with is_active=False. Custom user models that don't have
         that attribute are allowed.
         """
-        is_active = getattr(user, 'is_active', None)
-        return is_active or is_active is None
+        is_valid = getattr(user, 'is_valid', None)
+        return is_valid or is_valid is None
 
     def get_user(self, user_id):
         try: