Fix rbac (#7728)

* perf: 重命名 signal handlers * fix: 修复 ticket processor 问题 * perf: 修改 ticket 处理人api * fix: 修复创建系统账号bug * fix: 升级celery_beat==2.2.1和flower==1.0.0;修改celery进程启动参数先后顺序 * perf: 修改 authentication token * fix: 修复上传权限bug * fix: 登录页面增加i18n切换; * fix: 系统角色删除限制 * perf: 修改一下 permissions tree * perf: 生成 i18n * perf: 修改一点点 Co-authored-by: ibuler <ibuler@qq.com> Co-authored-by: feng626 <1304903146@qq.com> Co-authored-by: Jiangjie.Bai <bugatti_it@163.com>
2025-09-23 04:20:27 +00:00 · 2022-03-02 20:48:43 +08:00
parent 04e46e4b1c
commit dafc416783
69 changed files with 929 additions and 519 deletions
--- a/apps/authentication/signal_handlers.py
+++ b/apps/authentication/signal_handlers.py
@@ -0,0 +1,62 @@
+from importlib import import_module
+
+from django.conf import settings
+from django.contrib.auth import user_logged_in
+from django.core.cache import cache
+from django.dispatch import receiver
+from django_cas_ng.signals import cas_user_authenticated
+
+from authentication.backends.oidc.signals import openid_user_login_failed, openid_user_login_success
+
+from authentication.backends.saml2.signals import (
+    saml2_user_authenticated, saml2_user_authentication_failed
+)
+from .signals import post_auth_success, post_auth_failed
+
+
+@receiver(user_logged_in)
+def on_user_auth_login_success(sender, user, request, **kwargs):
+    # 开启了 MFA，且没有校验过, 可以全局校验, middleware 中可以全局管理 oidc 等第三方认证的 MFA
+    if settings.SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY \
+            and user.mfa_enabled \
+            and not request.session.get('auth_mfa'):
+        request.session['auth_mfa_required'] = 1
+
+    # 单点登录，超过了自动退出
+    if settings.USER_LOGIN_SINGLE_MACHINE_ENABLED:
+        user_id = 'single_machine_login_' + str(user.id)
+        session_key = cache.get(user_id)
+        if session_key and session_key != request.session.session_key:
+            session = import_module(settings.SESSION_ENGINE).SessionStore(session_key)
+            session.delete()
+        cache.set(user_id, request.session.session_key, None)
+
+
+@receiver(openid_user_login_success)
+def on_oidc_user_login_success(sender, request, user, create=False, **kwargs):
+    request.session['auth_backend'] = settings.AUTH_BACKEND_OIDC_CODE
+    post_auth_success.send(sender, user=user, request=request)
+
+
+@receiver(openid_user_login_failed)
+def on_oidc_user_login_failed(sender, username, request, reason, **kwargs):
+    request.session['auth_backend'] = settings.AUTH_BACKEND_OIDC_CODE
+    post_auth_failed.send(sender, username=username, request=request, reason=reason)
+
+
+@receiver(cas_user_authenticated)
+def on_cas_user_login_success(sender, request, user, **kwargs):
+    request.session['auth_backend'] = settings.AUTH_BACKEND_CAS
+    post_auth_success.send(sender, user=user, request=request)
+
+
+@receiver(saml2_user_authenticated)
+def on_saml2_user_login_success(sender, request, user, **kwargs):
+    request.session['auth_backend'] = settings.AUTH_BACKEND_SAML2
+    post_auth_success.send(sender, user=user, request=request)
+
+
+@receiver(saml2_user_authentication_failed)
+def on_saml2_user_login_failed(sender, request, username, reason, **kwargs):
+    request.session['auth_backend'] = settings.AUTH_BACKEND_SAML2
+    post_auth_failed.send(sender, username=username, request=request, reason=reason)