support two factor authentication

2025-09-20 10:58:33 +00:00 · 2016-04-15 09:08:22 +08:00
parent 37f6648a12
commit 3d04bfea6d
9 changed files with 65 additions and 13 deletions
--- a/seahub/auth/views.py
+++ b/seahub/auth/views.py
@@ -28,6 +28,7 @@ from seahub.profile.models import Profile
 from seahub.utils import is_ldap_user
 from seahub.utils.http import is_safe_url
 from seahub.utils.ip import get_remote_ip
+from seahub.utils.two_factor_auth import two_factor_auth_enabled, handle_two_factor_auth

 from constance import config

@@ -43,14 +44,17 @@ def log_user_in(request, user, redirect_to):
    if not is_safe_url(url=redirect_to, host=request.get_host()):
        redirect_to = settings.LOGIN_REDIRECT_URL

-    # Okay, security checks complete. Log the user in.
-    auth_login(request, user)
-
    if request.session.test_cookie_worked():
        request.session.delete_test_cookie()

    _clear_login_failed_attempts(request)

+    if two_factor_auth_enabled(user):
+        return handle_two_factor_auth(request, user, redirect_to)
+
+    # Okay, security checks complete. Log the user in.
+    auth_login(request, user)
+
    return HttpResponseRedirect(redirect_to)

 def _get_login_failed_attempts(username=None, ip=None):
--- a/seahub/profile/templates/profile/set_profile.html
+++ b/seahub/profile/templates/profile/set_profile.html
@@ -15,6 +15,9 @@
        <li class="tab"><a href="#default-lib">{% trans "Default Library" %}</a></li>
        {% endif %}
        <li class="tab"><a href="#del-account">{% trans "Delete Account" %}</a></li>
+        {% if two_factor_auth_enabled %}
+        <li class="tab"><a href="{% url 'two_factor:profile' %}">{% trans "Security" %}</a></li>
+        {% endif %}
    </ul>
 </div>

--- a/seahub/profile/urls.py
+++ b/seahub/profile/urls.py
@@ -1,4 +1,5 @@
-from django.conf.urls import patterns, url
+from django.conf.urls import patterns, url, include
+from seahub.utils.two_factor_auth import HAS_TWO_FACTOR_AUTH

 urlpatterns = patterns('seahub.profile.views',
 #    url(r'^list_user/$', 'list_userids', name="list_userids"),
@@ -6,7 +7,14 @@ urlpatterns = patterns('seahub.profile.views',
    url(r'^(?P<user>[^/]+)/get/$', 'get_user_profile', name="get_user_profile"),
    url(r'^delete/$', 'delete_user_account', name="delete_user_account"),
    url(r'^default-repo/$', 'default_repo', name="default_repo"),
-
-    url(r'^(?P<username>[^/]*)/$', 'user_profile', name="user_profile"),
-#    url(r'^logout/$', 'logout_relay', name="logout_relay"),
+)
+
+if HAS_TWO_FACTOR_AUTH:
+    urlpatterns += patterns('',
+        (r'^two_factor_authentication/', include('seahub_extra.two_factor.urls', 'two_factor')),
+    )
+
+# Move the catch-all pattern to the end.
+urlpatterns += patterns('seahub.profile.views',
+    url(r'^(?P<username>[^/]*)/$', 'user_profile', name="user_profile"),
 )
--- a/seahub/profile/views.py
+++ b/seahub/profile/views.py
@@ -1,4 +1,5 @@
 # encoding: utf-8
+from constance import config
 from django.conf import settings
 import json
 from django.core.urlresolvers import reverse
@@ -21,6 +22,7 @@ from seahub.base.templatetags.seahub_tags import email2nickname
 from seahub.contacts.models import Contact
 from seahub.options.models import UserOptions, CryptoOptionNotSetError
 from seahub.utils import is_ldap_user
+from seahub.utils.two_factor_auth import HAS_TWO_FACTOR_AUTH
 from seahub.views import get_owned_repo_list

@login_required
@@ -73,6 +75,8 @@ def edit_profile(request):
    owned_repos = get_owned_repo_list(request)
    owned_repos = filter(lambda r: not r.is_virtual, owned_repos)

+    two_factor_auth_enabled = HAS_TWO_FACTOR_AUTH and config.ENABLE_TWO_FACTOR_AUTH
+
    return render_to_response('profile/set_profile.html', {
            'form': form,
            'server_crypto': server_crypto,
@@ -82,6 +86,7 @@ def edit_profile(request):
            'owned_repos': owned_repos,
            'is_pro': is_pro_version(),
            'is_ldap_user': is_ldap_user(request.user),
+            'two_factor_auth_enabled': two_factor_auth_enabled,
            }, context_instance=RequestContext(request))

@login_required
--- a/seahub/settings.py
+++ b/seahub/settings.py
@@ -533,6 +533,8 @@ ADD_REPLY_TO_HEADER = False

 CLOUD_DEMO_USER = 'demo@seafile.com'

+ENABLE_TWO_FACTOR_AUTH = False
+
 #####################
 # External settings #
 #####################
@@ -631,4 +633,5 @@ CONSTANCE_CONFIG = {
    'USER_PASSWORD_STRENGTH_LEVEL': (USER_PASSWORD_STRENGTH_LEVEL,''),

    'SHARE_LINK_PASSWORD_MIN_LENGTH': (SHARE_LINK_PASSWORD_MIN_LENGTH,''),
+    'ENABLE_TWO_FACTOR_AUTH': (ENABLE_TWO_FACTOR_AUTH,''),
 }
--- a/seahub/templates/sysadmin/settings.html
+++ b/seahub/templates/sysadmin/settings.html
@@ -73,6 +73,12 @@
    {% endwith %}
    </div>

+    {% if has_two_factor_auth %}
+    {% with type="checkbox" setting_display_name="enable two factor authentication" help_tip="Enable two factor authentication" setting_name="ENABLE_TWO_FACTOR_AUTH" setting_val=config_dict.ENABLE_TWO_FACTOR_AUTH %}
+        {% include "snippets/web_settings_form.html" %}
+    {% endwith %}
+    {% endif %}
+
    <h4>Library</h4>

    <div>
--- a/seahub/utils/two_factor_auth.py
+++ b/seahub/utils/two_factor_auth.py
@@ -0,0 +1,9 @@
+# encoding: utf-8
+
+try:
+    from seahub_extra.two_factor.views.login import two_factor_auth_enabled, handle_two_factor_auth
+    HAS_TWO_FACTOR_AUTH = True
+except ImportError:
+    two_factor_auth_enabled = lambda *a: False
+    handle_two_factor_auth = None
+    HAS_TWO_FACTOR_AUTH = False
--- a/seahub/views/sysadmin.py
+++ b/seahub/views/sysadmin.py
@@ -67,6 +67,7 @@ try:
    from seahub.settings import MULTI_TENANCY
 except ImportError:
    MULTI_TENANCY = False
+from seahub.utils.two_factor_auth import HAS_TWO_FACTOR_AUTH

 logger = logging.getLogger(__name__)

@@ -2185,7 +2186,7 @@ def sys_settings(request):
    if not dj_settings.ENABLE_SETTINGS_VIA_WEB:
        raise Http404

-    DIGIT_WEB_SETTINGS = (
+    DIGIT_WEB_SETTINGS = [
        'DISABLE_SYNC_WITH_ANY_FOLDER', 'ENABLE_SIGNUP',
        'ACTIVATE_AFTER_REGISTRATION', 'REGISTRATION_SEND_MAIL',
        'LOGIN_REMEMBER_DAYS', 'REPO_PASSWORD_MIN_LENGTH',
@@ -2194,7 +2195,10 @@ def sys_settings(request):
        'USER_PASSWORD_STRENGTH_LEVEL', 'SHARE_LINK_PASSWORD_MIN_LENGTH',
        'ENABLE_USER_CREATE_ORG_REPO', 'FORCE_PASSWORD_CHANGE',
        'LOGIN_ATTEMPT_LIMIT', 'FREEZE_USER_ON_LOGIN_FAILED',
-    )
+    ]
+
+    if HAS_TWO_FACTOR_AUTH:
+        DIGIT_WEB_SETTINGS.append('ENABLE_TWO_FACTOR_AUTH')

    STRING_WEB_SETTINGS = ('SERVICE_URL', 'FILE_SERVER_ROOT',)

@@ -2241,6 +2245,7 @@ def sys_settings(request):

    return render_to_response('sysadmin/settings.html', {
        'config_dict': config_dict,
+        'has_two_factor_auth': HAS_TWO_FACTOR_AUTH,
    }, context_instance=RequestContext(request))

@login_required_ajax
--- a/thirdpart/registration/auth_urls.py
+++ b/thirdpart/registration/auth_urls.py
@@ -27,6 +27,7 @@ from django.conf import settings
 from django.conf.urls import patterns, url

 from seahub.auth import views as auth_views
+from seahub.utils.two_factor_auth import HAS_TWO_FACTOR_AUTH

 urlpatterns = patterns('',
                       url(r'^password/change/$',
@@ -72,3 +73,11 @@ else:
                                {'template_name': 'registration/logout.html'},
                                name='auth_logout'),
                            )
+
+    if HAS_TWO_FACTOR_AUTH:
+        from seahub_extra.two_factor.views.login import TwoFactorVerifyView
+        urlpatterns += patterns('',
+                                url(r'^login/two-factor-auth/$',
+                                    TwoFactorVerifyView.as_view(),
+                                    name='two_factor_auth'),
+                                )