From 3d04bfea6d510e901674fff36d54b43f2b2e02cf Mon Sep 17 00:00:00 2001 From: Shuai Lin Date: Fri, 15 Apr 2016 09:08:22 +0800 Subject: [PATCH] support two factor authentication --- seahub/auth/views.py | 10 +++++++--- .../profile/templates/profile/set_profile.html | 3 +++ seahub/profile/urls.py | 16 ++++++++++++---- seahub/profile/views.py | 13 +++++++++---- seahub/settings.py | 3 +++ seahub/templates/sysadmin/settings.html | 6 ++++++ seahub/utils/two_factor_auth.py | 9 +++++++++ seahub/views/sysadmin.py | 9 +++++++-- thirdpart/registration/auth_urls.py | 9 +++++++++ 9 files changed, 65 insertions(+), 13 deletions(-) create mode 100644 seahub/utils/two_factor_auth.py diff --git a/seahub/auth/views.py b/seahub/auth/views.py index 4ca6c2f360..3dea05e32b 100644 --- a/seahub/auth/views.py +++ b/seahub/auth/views.py @@ -28,6 +28,7 @@ from seahub.profile.models import Profile from seahub.utils import is_ldap_user from seahub.utils.http import is_safe_url from seahub.utils.ip import get_remote_ip +from seahub.utils.two_factor_auth import two_factor_auth_enabled, handle_two_factor_auth from constance import config @@ -43,14 +44,17 @@ def log_user_in(request, user, redirect_to): if not is_safe_url(url=redirect_to, host=request.get_host()): redirect_to = settings.LOGIN_REDIRECT_URL - # Okay, security checks complete. Log the user in. - auth_login(request, user) - if request.session.test_cookie_worked(): request.session.delete_test_cookie() _clear_login_failed_attempts(request) + if two_factor_auth_enabled(user): + return handle_two_factor_auth(request, user, redirect_to) + + # Okay, security checks complete. Log the user in. + auth_login(request, user) + return HttpResponseRedirect(redirect_to) def _get_login_failed_attempts(username=None, ip=None): diff --git a/seahub/profile/templates/profile/set_profile.html b/seahub/profile/templates/profile/set_profile.html index 39fc873073..651a30f07c 100644 --- a/seahub/profile/templates/profile/set_profile.html +++ b/seahub/profile/templates/profile/set_profile.html @@ -15,6 +15,9 @@
  • {% trans "Default Library" %}
    • {% endif %}
  • {% trans "Delete Account" %}
    • + {% if two_factor_auth_enabled %} +
  • {% trans "Security" %}
    • + {% endif %} diff --git a/seahub/profile/urls.py b/seahub/profile/urls.py index 0ba3aee908..ca6aecede4 100644 --- a/seahub/profile/urls.py +++ b/seahub/profile/urls.py @@ -1,4 +1,5 @@ -from django.conf.urls import patterns, url +from django.conf.urls import patterns, url, include +from seahub.utils.two_factor_auth import HAS_TWO_FACTOR_AUTH urlpatterns = patterns('seahub.profile.views', # url(r'^list_user/$', 'list_userids', name="list_userids"), @@ -6,7 +7,14 @@ urlpatterns = patterns('seahub.profile.views', url(r'^(?P[^/]+)/get/$', 'get_user_profile', name="get_user_profile"), url(r'^delete/$', 'delete_user_account', name="delete_user_account"), url(r'^default-repo/$', 'default_repo', name="default_repo"), - - url(r'^(?P[^/]*)/$', 'user_profile', name="user_profile"), -# url(r'^logout/$', 'logout_relay', name="logout_relay"), +) + +if HAS_TWO_FACTOR_AUTH: + urlpatterns += patterns('', + (r'^two_factor_authentication/', include('seahub_extra.two_factor.urls', 'two_factor')), + ) + +# Move the catch-all pattern to the end. +urlpatterns += patterns('seahub.profile.views', + url(r'^(?P[^/]*)/$', 'user_profile', name="user_profile"), ) diff --git a/seahub/profile/views.py b/seahub/profile/views.py index 9ba174b7b3..6de76ab153 100644 --- a/seahub/profile/views.py +++ b/seahub/profile/views.py @@ -1,4 +1,5 @@ # encoding: utf-8 +from constance import config from django.conf import settings import json from django.core.urlresolvers import reverse @@ -21,6 +22,7 @@ from seahub.base.templatetags.seahub_tags import email2nickname from seahub.contacts.models import Contact from seahub.options.models import UserOptions, CryptoOptionNotSetError from seahub.utils import is_ldap_user +from seahub.utils.two_factor_auth import HAS_TWO_FACTOR_AUTH from seahub.views import get_owned_repo_list @login_required @@ -54,13 +56,13 @@ def edit_profile(request): init_dict['department'] = d_profile.department init_dict['telephone'] = d_profile.telephone form = form_class(init_dict) - + # common logic try: server_crypto = UserOptions.objects.is_server_crypto(username) except CryptoOptionNotSetError: # Assume server_crypto is ``False`` if this option is not set. - server_crypto = False + server_crypto = False sub_lib_enabled = UserOptions.objects.is_sub_lib_enabled(username) @@ -73,6 +75,8 @@ def edit_profile(request): owned_repos = get_owned_repo_list(request) owned_repos = filter(lambda r: not r.is_virtual, owned_repos) + two_factor_auth_enabled = HAS_TWO_FACTOR_AUTH and config.ENABLE_TWO_FACTOR_AUTH + return render_to_response('profile/set_profile.html', { 'form': form, 'server_crypto': server_crypto, @@ -82,6 +86,7 @@ def edit_profile(request): 'owned_repos': owned_repos, 'is_pro': is_pro_version(), 'is_ldap_user': is_ldap_user(request.user), + 'two_factor_auth_enabled': two_factor_auth_enabled, }, context_instance=RequestContext(request)) @login_required @@ -116,14 +121,14 @@ def get_user_profile(request, user): 'user_intro': '', 'err_msg': '', 'new_user': '' - } + } content_type = 'application/json; charset=utf-8' try: user_check = User.objects.get(email=user) except User.DoesNotExist: user_check = None - + if user_check: profile = Profile.objects.filter(user=user) if profile: diff --git a/seahub/settings.py b/seahub/settings.py index 9945c6eed8..c891be6a25 100644 --- a/seahub/settings.py +++ b/seahub/settings.py @@ -533,6 +533,8 @@ ADD_REPLY_TO_HEADER = False CLOUD_DEMO_USER = 'demo@seafile.com' +ENABLE_TWO_FACTOR_AUTH = False + ##################### # External settings # ##################### @@ -631,4 +633,5 @@ CONSTANCE_CONFIG = { 'USER_PASSWORD_STRENGTH_LEVEL': (USER_PASSWORD_STRENGTH_LEVEL,''), 'SHARE_LINK_PASSWORD_MIN_LENGTH': (SHARE_LINK_PASSWORD_MIN_LENGTH,''), + 'ENABLE_TWO_FACTOR_AUTH': (ENABLE_TWO_FACTOR_AUTH,''), } diff --git a/seahub/templates/sysadmin/settings.html b/seahub/templates/sysadmin/settings.html index 75c94215c9..0fa897a5c3 100644 --- a/seahub/templates/sysadmin/settings.html +++ b/seahub/templates/sysadmin/settings.html @@ -73,6 +73,12 @@ {% endwith %} + {% if has_two_factor_auth %} + {% with type="checkbox" setting_display_name="enable two factor authentication" help_tip="Enable two factor authentication" setting_name="ENABLE_TWO_FACTOR_AUTH" setting_val=config_dict.ENABLE_TWO_FACTOR_AUTH %} + {% include "snippets/web_settings_form.html" %} + {% endwith %} + {% endif %} +

    Library

    diff --git a/seahub/utils/two_factor_auth.py b/seahub/utils/two_factor_auth.py new file mode 100644 index 0000000000..b33cdc2e74 --- /dev/null +++ b/seahub/utils/two_factor_auth.py @@ -0,0 +1,9 @@ +# encoding: utf-8 + +try: + from seahub_extra.two_factor.views.login import two_factor_auth_enabled, handle_two_factor_auth + HAS_TWO_FACTOR_AUTH = True +except ImportError: + two_factor_auth_enabled = lambda *a: False + handle_two_factor_auth = None + HAS_TWO_FACTOR_AUTH = False diff --git a/seahub/views/sysadmin.py b/seahub/views/sysadmin.py index 79228c3c14..b983bb155c 100644 --- a/seahub/views/sysadmin.py +++ b/seahub/views/sysadmin.py @@ -67,6 +67,7 @@ try: from seahub.settings import MULTI_TENANCY except ImportError: MULTI_TENANCY = False +from seahub.utils.two_factor_auth import HAS_TWO_FACTOR_AUTH logger = logging.getLogger(__name__) @@ -2185,7 +2186,7 @@ def sys_settings(request): if not dj_settings.ENABLE_SETTINGS_VIA_WEB: raise Http404 - DIGIT_WEB_SETTINGS = ( + DIGIT_WEB_SETTINGS = [ 'DISABLE_SYNC_WITH_ANY_FOLDER', 'ENABLE_SIGNUP', 'ACTIVATE_AFTER_REGISTRATION', 'REGISTRATION_SEND_MAIL', 'LOGIN_REMEMBER_DAYS', 'REPO_PASSWORD_MIN_LENGTH', @@ -2194,7 +2195,10 @@ def sys_settings(request): 'USER_PASSWORD_STRENGTH_LEVEL', 'SHARE_LINK_PASSWORD_MIN_LENGTH', 'ENABLE_USER_CREATE_ORG_REPO', 'FORCE_PASSWORD_CHANGE', 'LOGIN_ATTEMPT_LIMIT', 'FREEZE_USER_ON_LOGIN_FAILED', - ) + ] + + if HAS_TWO_FACTOR_AUTH: + DIGIT_WEB_SETTINGS.append('ENABLE_TWO_FACTOR_AUTH') STRING_WEB_SETTINGS = ('SERVICE_URL', 'FILE_SERVER_ROOT',) @@ -2241,6 +2245,7 @@ def sys_settings(request): return render_to_response('sysadmin/settings.html', { 'config_dict': config_dict, + 'has_two_factor_auth': HAS_TWO_FACTOR_AUTH, }, context_instance=RequestContext(request)) @login_required_ajax diff --git a/thirdpart/registration/auth_urls.py b/thirdpart/registration/auth_urls.py index 38d5425f8c..93a1f26bc4 100644 --- a/thirdpart/registration/auth_urls.py +++ b/thirdpart/registration/auth_urls.py @@ -27,6 +27,7 @@ from django.conf import settings from django.conf.urls import patterns, url from seahub.auth import views as auth_views +from seahub.utils.two_factor_auth import HAS_TWO_FACTOR_AUTH urlpatterns = patterns('', url(r'^password/change/$', @@ -72,3 +73,11 @@ else: {'template_name': 'registration/logout.html'}, name='auth_logout'), ) + + if HAS_TWO_FACTOR_AUTH: + from seahub_extra.two_factor.views.login import TwoFactorVerifyView + urlpatterns += patterns('', + url(r'^login/two-factor-auth/$', + TwoFactorVerifyView.as_view(), + name='two_factor_auth'), + )