mirror of
https://github.com/jumpserver/jumpserver.git
synced 2025-11-03 07:27:48 +00:00
363985ee7a
* [Update] user model 添加date_password_last_updated字段, 并在用户详情/个人信息页进行展示、重置密码/修改密码时进行更新;安全设置添加密码过期时间配置项; * [Update] 修改依赖,deb_requirements 删除 gcc automake * [Update] 添加定时任务: 检测用户密码是否过期 * [Update] 登录页面添加检测用户密码是否过期,并给出过期提示,拒绝登录 * [update] 用户密码过期时间5天以内,每天发送重置密码邮件 * [Update] api 登录认证,添加密码过期检测 * [Update] 添加提示用户密码即将过期信息 * [Update] 修改小细节 * [Update] User model 添加密码即将过期/已过期 property属性 * [Update] 修改用户api auth检测用户密码过期逻辑 * [Update] 添加翻译,用户密码过期 * [Update] 用户密码即将过期,发送密码过期提醒邮件 * [Update] 修改检测用户密码过期任务,修改interval为crontab * [Update] 修改翻译小细节 * [Update] 修改翻译小细节 * [Bugfix] 修复在用户更新页面修改密码时, 不更新最后密码修改时间的bug * [Update] 修复小细节 * [Update] 修改系统设置成功提示翻译信息
250 lines
8.2 KiB
Python
250 lines
8.2 KiB
Python
# -*- coding: utf-8 -*-
|
|
#
|
|
import uuid
|
|
|
|
from django.core.cache import cache
|
|
from django.urls import reverse
|
|
from django.shortcuts import get_object_or_404
|
|
from django.utils.translation import ugettext as _
|
|
|
|
from rest_framework.permissions import AllowAny
|
|
from rest_framework.response import Response
|
|
from rest_framework.views import APIView
|
|
|
|
from common.utils import get_logger, get_request_ip
|
|
from common.permissions import IsOrgAdminOrAppUser
|
|
from orgs.mixins import RootOrgViewMixin
|
|
from ..serializers import UserSerializer
|
|
from ..tasks import write_login_log_async
|
|
from ..models import User, LoginLog
|
|
from ..utils import check_user_valid, generate_token, \
|
|
check_otp_code, increase_login_failed_count, is_block_login, \
|
|
clean_failed_count
|
|
from ..hands import Asset, SystemUser
|
|
|
|
|
|
logger = get_logger(__name__)
|
|
|
|
|
|
class UserAuthApi(RootOrgViewMixin, APIView):
|
|
permission_classes = (AllowAny,)
|
|
serializer_class = UserSerializer
|
|
|
|
def post(self, request):
|
|
# limit login
|
|
username = request.data.get('username')
|
|
ip = request.data.get('remote_addr', None)
|
|
ip = ip or get_request_ip(request)
|
|
|
|
if is_block_login(username, ip):
|
|
msg = _("Log in frequently and try again later")
|
|
logger.warn(msg + ': ' + username + ':' + ip)
|
|
return Response({'msg': msg}, status=401)
|
|
|
|
user, msg = self.check_user_valid(request)
|
|
if not user:
|
|
username = request.data.get('username', '')
|
|
exist = User.objects.filter(username=username).first()
|
|
reason = LoginLog.REASON_PASSWORD if exist else LoginLog.REASON_NOT_EXIST
|
|
data = {
|
|
'username': username,
|
|
'mfa': LoginLog.MFA_UNKNOWN,
|
|
'reason': reason,
|
|
'status': False
|
|
}
|
|
self.write_login_log(request, data)
|
|
increase_login_failed_count(username, ip)
|
|
return Response({'msg': msg}, status=401)
|
|
|
|
if user.password_has_expired:
|
|
data = {
|
|
'username': user.username,
|
|
'mfa': int(user.otp_enabled),
|
|
'reason': LoginLog.REASON_PASSWORD_EXPIRED,
|
|
'status': False
|
|
}
|
|
self.write_login_log(request, data)
|
|
msg = _("The user {} password has expired, please update.".format(
|
|
user.username))
|
|
logger.info(msg)
|
|
return Response({'msg': msg}, status=401)
|
|
|
|
if not user.otp_enabled:
|
|
data = {
|
|
'username': user.username,
|
|
'mfa': int(user.otp_enabled),
|
|
'reason': LoginLog.REASON_NOTHING,
|
|
'status': True
|
|
}
|
|
self.write_login_log(request, data)
|
|
# 登陆成功,清除原来的缓存计数
|
|
clean_failed_count(username, ip)
|
|
token = generate_token(request, user)
|
|
return Response(
|
|
{'token': token, 'user': self.serializer_class(user).data}
|
|
)
|
|
|
|
seed = uuid.uuid4().hex
|
|
cache.set(seed, user, 300)
|
|
return Response(
|
|
{
|
|
'code': 101,
|
|
'msg': _('Please carry seed value and '
|
|
'conduct MFA secondary certification'),
|
|
'otp_url': reverse('api-users:user-otp-auth'),
|
|
'seed': seed,
|
|
'user': self.serializer_class(user).data
|
|
}, status=300
|
|
)
|
|
|
|
@staticmethod
|
|
def check_user_valid(request):
|
|
username = request.data.get('username', '')
|
|
password = request.data.get('password', '')
|
|
public_key = request.data.get('public_key', '')
|
|
user, msg = check_user_valid(
|
|
username=username, password=password,
|
|
public_key=public_key
|
|
)
|
|
return user, msg
|
|
|
|
@staticmethod
|
|
def write_login_log(request, data):
|
|
login_ip = request.data.get('remote_addr', None)
|
|
login_type = request.data.get('login_type', '')
|
|
user_agent = request.data.get('HTTP_USER_AGENT', '')
|
|
|
|
if not login_ip:
|
|
login_ip = get_request_ip(request)
|
|
|
|
tmp_data = {
|
|
'ip': login_ip,
|
|
'type': login_type,
|
|
'user_agent': user_agent,
|
|
}
|
|
data.update(tmp_data)
|
|
|
|
write_login_log_async.delay(**data)
|
|
|
|
|
|
class UserConnectionTokenApi(RootOrgViewMixin, APIView):
|
|
permission_classes = (IsOrgAdminOrAppUser,)
|
|
|
|
def post(self, request):
|
|
user_id = request.data.get('user', '')
|
|
asset_id = request.data.get('asset', '')
|
|
system_user_id = request.data.get('system_user', '')
|
|
token = str(uuid.uuid4())
|
|
user = get_object_or_404(User, id=user_id)
|
|
asset = get_object_or_404(Asset, id=asset_id)
|
|
system_user = get_object_or_404(SystemUser, id=system_user_id)
|
|
value = {
|
|
'user': user_id,
|
|
'username': user.username,
|
|
'asset': asset_id,
|
|
'hostname': asset.hostname,
|
|
'system_user': system_user_id,
|
|
'system_user_name': system_user.name
|
|
}
|
|
cache.set(token, value, timeout=20)
|
|
return Response({"token": token}, status=201)
|
|
|
|
def get(self, request):
|
|
token = request.query_params.get('token')
|
|
user_only = request.query_params.get('user-only', None)
|
|
value = cache.get(token, None)
|
|
|
|
if not value:
|
|
return Response('', status=404)
|
|
|
|
if not user_only:
|
|
return Response(value)
|
|
else:
|
|
return Response({'user': value['user']})
|
|
|
|
def get_permissions(self):
|
|
if self.request.query_params.get('user-only', None):
|
|
self.permission_classes = (AllowAny,)
|
|
return super().get_permissions()
|
|
|
|
|
|
class UserToken(APIView):
|
|
permission_classes = (AllowAny,)
|
|
|
|
def post(self, request):
|
|
if not request.user.is_authenticated:
|
|
username = request.data.get('username', '')
|
|
email = request.data.get('email', '')
|
|
password = request.data.get('password', '')
|
|
public_key = request.data.get('public_key', '')
|
|
|
|
user, msg = check_user_valid(
|
|
username=username, email=email,
|
|
password=password, public_key=public_key)
|
|
else:
|
|
user = request.user
|
|
msg = None
|
|
if user:
|
|
token = generate_token(request, user)
|
|
return Response({'Token': token, 'Keyword': 'Bearer'}, status=200)
|
|
else:
|
|
return Response({'error': msg}, status=406)
|
|
|
|
|
|
class UserOtpAuthApi(RootOrgViewMixin, APIView):
|
|
permission_classes = (AllowAny,)
|
|
serializer_class = UserSerializer
|
|
|
|
def post(self, request):
|
|
otp_code = request.data.get('otp_code', '')
|
|
seed = request.data.get('seed', '')
|
|
|
|
user = cache.get(seed, None)
|
|
if not user:
|
|
return Response(
|
|
{'msg': _('Please verify the user name and password first')},
|
|
status=401
|
|
)
|
|
|
|
if not check_otp_code(user.otp_secret_key, otp_code):
|
|
data = {
|
|
'username': user.username,
|
|
'mfa': int(user.otp_enabled),
|
|
'reason': LoginLog.REASON_MFA,
|
|
'status': False
|
|
}
|
|
self.write_login_log(request, data)
|
|
return Response({'msg': _('MFA certification failed')}, status=401)
|
|
|
|
data = {
|
|
'username': user.username,
|
|
'mfa': int(user.otp_enabled),
|
|
'reason': LoginLog.REASON_NOTHING,
|
|
'status': True
|
|
}
|
|
self.write_login_log(request, data)
|
|
token = generate_token(request, user)
|
|
return Response(
|
|
{
|
|
'token': token,
|
|
'user': self.serializer_class(user).data
|
|
}
|
|
)
|
|
|
|
@staticmethod
|
|
def write_login_log(request, data):
|
|
login_ip = request.data.get('remote_addr', None)
|
|
login_type = request.data.get('login_type', '')
|
|
user_agent = request.data.get('HTTP_USER_AGENT', '')
|
|
|
|
if not login_ip:
|
|
login_ip = get_request_ip(request)
|
|
|
|
tmp_data = {
|
|
'ip': login_ip,
|
|
'type': login_type,
|
|
'user_agent': user_agent
|
|
}
|
|
data.update(tmp_data)
|
|
write_login_log_async.delay(**data)
|