mirror of
https://github.com/jumpserver/jumpserver.git
synced 2026-01-15 23:23:21 +00:00
1fd2e782f8
* [Update] 暂存,优化解决不了问题 * [Update] 待续(小白) * [Update] 修改asset user * [Update] 计划再次更改 * [Update] 修改asset user * [Update] 暂存与喜爱 * [Update] Add id in * [Update] 阶段性完成ops task该做 * [Update] 修改asset user api * [Update] 修改asset user 任务,查看认证等 * [Update] 基本完成asset user改造 * [Update] dynamic user only allow 1 * [Update] 修改asset user task * [Update] 修改node admin user task api * [Update] remove file header license * [Update] 添加sftp root * [Update] 暂存 * [Update] 暂存 * [Update] 修改翻译 * [Update] 修改系统用户改为同名后,用户名改为空 * [Update] 基本完成CAS调研 * [Update] 支持cas server * [Update] 支持cas server * [Update] 添加requirements * [Update] 为方便调试添加mysql ipython到包中 * [Update] 添加huaweiyun翻译 * [Update] 增加下载session 录像 * [Update] 只有第一次通知replay离线的使用方法 * [Update] 暂存一下 * [Bugfix] 获取系统用户信息报错 * [Bugfix] 修改system user info * [Update] 改成清理10天git status * [Update] 修改celery日志保留时间 * [Update]修复部分pip包依赖的版本不兼容问题 (#3672) * [Update] 修复用户更新页面会清空用户public_key的问题 * Fix broken dependencies Co-authored-by: BaiJiangJie <32935519+BaiJiangJie@users.noreply.github.com> * [Update] 修改获取系统用户auth info * [Update] Remove log * [Bugfix] 修复sftp home设置的bug * [Update] 授权的系统用户添加sftp root * [Update] 修改系统用户关联的用户 * [Update] 修改placeholder * [Update] 优化获取授权的系统用户 * [Update] 修改tasks * [Update] tree service update * [Update] 暂存 * [Update] 基本完成用户授权树和资产树改造 * [Update] Dashbaord perf * [update] Add huawei cloud sdk requirements * [Updte] 优化dashboard页面 * [Update] system user auth info 添加id * [Update] 修改系统用户serializer * [Update] 优化api * [Update] LDAP Test Util (#3720) * [Update] LDAPTestUtil 1 * [Update] LDAPTestUtil 2 * [Update] LDAPTestUtil 3 * [Update] LDAPTestUtil 4 * [Update] LDAPTestUtil 5 * [Update] LDAPTestUtil 6 * [Update] LDAPTestUtil 7 * [Update] session 已添加is success,并且添加display serializer * [Bugfix] 修复无法删除空节点的bug * [Update] 命令记录分组织显示 * [Update] Session is_success 添加迁移文件 * [Update] 批量命令添加org_id * [Update] 修复一些文案,修改不绑定MFA,不能ssh登录 * [Update] 修改replay api, 返回session信息 * [Update] 解决无效es导致访问命令记录页面失败的问题 * [Update] 拆分profile view * [Update] 修改一个翻译 * [Update] 修改aysnc api框架 * [Update] 命令列表添加risk level * [Update] 完成录像打包下载 * [Update] 更改登陆otp页面 * [Update] 修改command 存储redis_level * [Update] 修改翻译 * [Update] 修改系统用户的用户列表字段 * [Update] 使用新logo和统一Jumpserver为JumpServer * [Update] 优化cloud task * [Update] 统一period task * [Update] 统一period form serializer字段 * [Update] 修改period task * [Update] 修改资产网关信息 * [Update] 用户授权资产树资产信息添加domain * [Update] 修改翻译 * [Update] 测试可连接性 * 1.5.7 bai (#3764) * [Update] 修复index页面Bug;修复测试资产用户可连接性问题; * [Update] 修改测试资产用户可连接 * [Bugfix] 修复backends问题 * [Update] 修改marksafe依赖版本 * [Update] 修改测试资产用户可连接性 * [Update] 修改检测服务器性能时获取percent值 * [Update] 更新依赖boto3=1.12.14 Co-authored-by: Yanzhe Lee <lee.yanzhe@yanzhe.org> Co-authored-by: BaiJiangJie <32935519+BaiJiangJie@users.noreply.github.com> Co-authored-by: Bai <bugatti_it@163.com>
334 lines
10 KiB
Python
334 lines
10 KiB
Python
# ~*~ coding: utf-8 ~*~
|
|
#
|
|
import os
|
|
import re
|
|
import pyotp
|
|
import base64
|
|
import logging
|
|
|
|
from django.http import Http404
|
|
from django.conf import settings
|
|
from django.utils.translation import ugettext as _
|
|
from django.core.cache import cache
|
|
from datetime import datetime
|
|
|
|
from common.tasks import send_mail_async
|
|
from common.utils import reverse, get_object_or_none
|
|
from .models import User
|
|
|
|
|
|
logger = logging.getLogger('jumpserver')
|
|
|
|
|
|
def construct_user_created_email_body(user):
|
|
default_body = _("""
|
|
<div>
|
|
<p>Your account has been created successfully</p>
|
|
<div>
|
|
Username: %(username)s
|
|
<br/>
|
|
Password: <a href="%(rest_password_url)s?token=%(rest_password_token)s">
|
|
click here to set your password</a>
|
|
(This link is valid for 1 hour. After it expires, <a href="%(forget_password_url)s?email=%(email)s">request new one</a>)
|
|
</div>
|
|
<div>
|
|
<p>---</p>
|
|
<a href="%(login_url)s">Login direct</a>
|
|
</div>
|
|
</div>
|
|
""") % {
|
|
'username': user.username,
|
|
'rest_password_url': reverse('users:reset-password', external=True),
|
|
'rest_password_token': user.generate_reset_token(),
|
|
'forget_password_url': reverse('users:forgot-password', external=True),
|
|
'email': user.email,
|
|
'login_url': reverse('authentication:login', external=True),
|
|
}
|
|
|
|
if settings.EMAIL_CUSTOM_USER_CREATED_BODY:
|
|
custom_body = '<p style="text-indent:2em">' + settings.EMAIL_CUSTOM_USER_CREATED_BODY + '</p>'
|
|
else:
|
|
custom_body = ''
|
|
body = custom_body + default_body
|
|
return body
|
|
|
|
|
|
def send_user_created_mail(user):
|
|
recipient_list = [user.email]
|
|
subject = _('Create account successfully')
|
|
if settings.EMAIL_CUSTOM_USER_CREATED_SUBJECT:
|
|
subject = settings.EMAIL_CUSTOM_USER_CREATED_SUBJECT
|
|
|
|
honorific = '<p>' + _('Hello %(name)s') % {'name': user.name} + ':</p>'
|
|
if settings.EMAIL_CUSTOM_USER_CREATED_HONORIFIC:
|
|
honorific = '<p>' + settings.EMAIL_CUSTOM_USER_CREATED_HONORIFIC + ':</p>'
|
|
|
|
body = construct_user_created_email_body(user)
|
|
|
|
signature = '<p style="float:right">jumpserver</p>'
|
|
if settings.EMAIL_CUSTOM_USER_CREATED_SIGNATURE:
|
|
signature = '<p style="float:right">' + settings.EMAIL_CUSTOM_USER_CREATED_SIGNATURE + '</p>'
|
|
|
|
message = honorific + body + signature
|
|
if settings.DEBUG:
|
|
try:
|
|
print(message)
|
|
except OSError:
|
|
pass
|
|
|
|
send_mail_async.delay(subject, message, recipient_list, html_message=message)
|
|
|
|
|
|
def send_reset_password_mail(user):
|
|
subject = _('Reset password')
|
|
recipient_list = [user.email]
|
|
message = _("""
|
|
Hello %(name)s:
|
|
<br>
|
|
Please click the link below to reset your password, if not your request, concern your account security
|
|
<br>
|
|
<a href="%(rest_password_url)s?token=%(rest_password_token)s">Click here reset password</a>
|
|
<br>
|
|
This link is valid for 1 hour. After it expires, <a href="%(forget_password_url)s?email=%(email)s">request new one</a>
|
|
|
|
<br>
|
|
---
|
|
|
|
<br>
|
|
<a href="%(login_url)s">Login direct</a>
|
|
|
|
<br>
|
|
""") % {
|
|
'name': user.name,
|
|
'rest_password_url': reverse('users:reset-password', external=True),
|
|
'rest_password_token': user.generate_reset_token(),
|
|
'forget_password_url': reverse('users:forgot-password', external=True),
|
|
'email': user.email,
|
|
'login_url': reverse('authentication:login', external=True),
|
|
}
|
|
if settings.DEBUG:
|
|
logger.debug(message)
|
|
|
|
send_mail_async.delay(subject, message, recipient_list, html_message=message)
|
|
|
|
|
|
def send_password_expiration_reminder_mail(user):
|
|
subject = _('Security notice')
|
|
recipient_list = [user.email]
|
|
message = _("""
|
|
Hello %(name)s:
|
|
<br>
|
|
Your password will expire in %(date_password_expired)s,
|
|
<br>
|
|
For your account security, please click on the link below to update your password in time
|
|
<br>
|
|
<a href="%(update_password_url)s">Click here update password</a>
|
|
<br>
|
|
If your password has expired, please click
|
|
<a href="%(forget_password_url)s?email=%(email)s">Password expired</a>
|
|
to apply for a password reset email.
|
|
|
|
<br>
|
|
---
|
|
|
|
<br>
|
|
<a href="%(login_url)s">Login direct</a>
|
|
|
|
<br>
|
|
""") % {
|
|
'name': user.name,
|
|
'date_password_expired': datetime.fromtimestamp(datetime.timestamp(
|
|
user.date_password_expired)).strftime('%Y-%m-%d %H:%M'),
|
|
'update_password_url': reverse('users:user-password-update', external=True),
|
|
'forget_password_url': reverse('users:forgot-password', external=True),
|
|
'email': user.email,
|
|
'login_url': reverse('authentication:login', external=True),
|
|
}
|
|
if settings.DEBUG:
|
|
logger.debug(message)
|
|
|
|
send_mail_async.delay(subject, message, recipient_list, html_message=message)
|
|
|
|
|
|
def send_user_expiration_reminder_mail(user):
|
|
subject = _('Expiration notice')
|
|
recipient_list = [user.email]
|
|
message = _("""
|
|
Hello %(name)s:
|
|
<br>
|
|
Your account will expire in %(date_expired)s,
|
|
<br>
|
|
In order not to affect your normal work, please contact the administrator for confirmation.
|
|
<br>
|
|
""") % {
|
|
'name': user.name,
|
|
'date_expired': datetime.fromtimestamp(datetime.timestamp(
|
|
user.date_expired)).strftime('%Y-%m-%d %H:%M'),
|
|
}
|
|
if settings.DEBUG:
|
|
logger.debug(message)
|
|
|
|
send_mail_async.delay(subject, message, recipient_list, html_message=message)
|
|
|
|
|
|
def send_reset_ssh_key_mail(user):
|
|
subject = _('SSH Key Reset')
|
|
recipient_list = [user.email]
|
|
message = _("""
|
|
Hello %(name)s:
|
|
<br>
|
|
Your ssh public key has been reset by site administrator.
|
|
Please login and reset your ssh public key.
|
|
<br>
|
|
<a href="%(login_url)s">Login direct</a>
|
|
|
|
<br>
|
|
""") % {
|
|
'name': user.name,
|
|
'login_url': reverse('authentication:login', external=True),
|
|
}
|
|
if settings.DEBUG:
|
|
logger.debug(message)
|
|
|
|
send_mail_async.delay(subject, message, recipient_list, html_message=message)
|
|
|
|
|
|
def get_user_or_pre_auth_user(request):
|
|
user = request.user
|
|
if user.is_authenticated:
|
|
return user
|
|
pre_auth_user_id = request.session.get('user_id')
|
|
user = None
|
|
if pre_auth_user_id:
|
|
user = get_object_or_none(User, pk=pre_auth_user_id)
|
|
return user
|
|
|
|
|
|
def redirect_user_first_login_or_index(request, redirect_field_name):
|
|
if request.user.is_first_login:
|
|
return reverse('users:user-first-login')
|
|
url_in_post = request.POST.get(redirect_field_name)
|
|
if url_in_post:
|
|
return url_in_post
|
|
url_in_get = request.GET.get(redirect_field_name, reverse('index'))
|
|
return url_in_get
|
|
|
|
|
|
def generate_otp_uri(username, otp_secret_key=None, issuer="JumpServer"):
|
|
if otp_secret_key is None:
|
|
otp_secret_key = base64.b32encode(os.urandom(10)).decode('utf-8')
|
|
totp = pyotp.TOTP(otp_secret_key)
|
|
otp_issuer_name = settings.OTP_ISSUER_NAME or issuer
|
|
uri = totp.provisioning_uri(name=username, issuer_name=otp_issuer_name)
|
|
return uri, otp_secret_key
|
|
|
|
|
|
def check_otp_code(otp_secret_key, otp_code):
|
|
if not otp_secret_key or not otp_code:
|
|
return False
|
|
totp = pyotp.TOTP(otp_secret_key)
|
|
otp_valid_window = settings.OTP_VALID_WINDOW or 0
|
|
return totp.verify(otp=otp_code, valid_window=otp_valid_window)
|
|
|
|
|
|
def get_password_check_rules():
|
|
check_rules = []
|
|
for rule in settings.SECURITY_PASSWORD_RULES:
|
|
key = "id_{}".format(rule.lower())
|
|
value = getattr(settings, rule)
|
|
if not value:
|
|
continue
|
|
check_rules.append({'key': key, 'value': int(value)})
|
|
return check_rules
|
|
|
|
|
|
def check_password_rules(password):
|
|
pattern = r"^"
|
|
if settings.SECURITY_PASSWORD_UPPER_CASE:
|
|
pattern += '(?=.*[A-Z])'
|
|
if settings.SECURITY_PASSWORD_LOWER_CASE:
|
|
pattern += '(?=.*[a-z])'
|
|
if settings.SECURITY_PASSWORD_NUMBER:
|
|
pattern += '(?=.*\d)'
|
|
if settings.SECURITY_PASSWORD_SPECIAL_CHAR:
|
|
pattern += '(?=.*[`~!@#\$%\^&\*\(\)-=_\+\[\]\{\}\|;:\'\",\.<>\/\?])'
|
|
pattern += '[a-zA-Z\d`~!@#\$%\^&\*\(\)-=_\+\[\]\{\}\|;:\'\",\.<>\/\?]'
|
|
pattern += '.{' + str(settings.SECURITY_PASSWORD_MIN_LENGTH-1) + ',}$'
|
|
match_obj = re.match(pattern, password)
|
|
return bool(match_obj)
|
|
|
|
|
|
key_prefix_limit = "_LOGIN_LIMIT_{}_{}"
|
|
key_prefix_block = "_LOGIN_BLOCK_{}"
|
|
|
|
|
|
# def increase_login_failed_count(key_limit, key_block):
|
|
def increase_login_failed_count(username, ip):
|
|
key_limit = key_prefix_limit.format(username, ip)
|
|
count = cache.get(key_limit)
|
|
count = count + 1 if count else 1
|
|
|
|
limit_time = settings.SECURITY_LOGIN_LIMIT_TIME
|
|
cache.set(key_limit, count, int(limit_time)*60)
|
|
|
|
|
|
def get_login_failed_count(username, ip):
|
|
key_limit = key_prefix_limit.format(username, ip)
|
|
count = cache.get(key_limit, 0)
|
|
return count
|
|
|
|
|
|
def clean_failed_count(username, ip):
|
|
key_limit = key_prefix_limit.format(username, ip)
|
|
key_block = key_prefix_block.format(username)
|
|
cache.delete(key_limit)
|
|
cache.delete(key_block)
|
|
|
|
|
|
def is_block_login(username, ip):
|
|
count = get_login_failed_count(username, ip)
|
|
key_block = key_prefix_block.format(username)
|
|
|
|
limit_count = settings.SECURITY_LOGIN_LIMIT_COUNT
|
|
limit_time = settings.SECURITY_LOGIN_LIMIT_TIME
|
|
|
|
if count >= limit_count:
|
|
cache.set(key_block, 1, int(limit_time)*60)
|
|
if count and count >= limit_count:
|
|
return True
|
|
|
|
|
|
def is_need_unblock(key_block):
|
|
if not cache.get(key_block):
|
|
return False
|
|
return True
|
|
|
|
|
|
def construct_user_email(username, email):
|
|
if '@' not in email:
|
|
if '@' in username:
|
|
email = username
|
|
else:
|
|
email = '{}@{}'.format(username, settings.EMAIL_SUFFIX)
|
|
return email
|
|
|
|
|
|
def get_current_org_members(exclude=()):
|
|
from orgs.utils import current_org
|
|
return current_org.get_org_members(exclude=exclude)
|
|
|
|
|
|
def get_source_choices():
|
|
from .models import User
|
|
choices_all = dict(User.SOURCE_CHOICES)
|
|
choices = [
|
|
(User.SOURCE_LOCAL, choices_all[User.SOURCE_LOCAL]),
|
|
]
|
|
if settings.AUTH_LDAP:
|
|
choices.append((User.SOURCE_LDAP, choices_all[User.SOURCE_LDAP]))
|
|
if settings.AUTH_OPENID:
|
|
choices.append((User.SOURCE_OPENID, choices_all[User.SOURCE_OPENID]))
|
|
if settings.AUTH_RADIUS:
|
|
choices.append((User.SOURCE_RADIUS, choices_all[User.SOURCE_RADIUS]))
|
|
return choices
|