Sso login (#5992)

* update sso login

support work-weixin and dingtalk at the same time

* check if is pro

seahub/base/context_processors.py

@@ -18,7 +18,7 @@ from constance import config
 import seaserv
 
 from seahub.settings import SEAFILE_VERSION, SITE_DESCRIPTION, \
-    MAX_FILE_NAME, LOGO_PATH, BRANDING_CSS, LOGO_WIDTH, LOGO_HEIGHT,\
+    MAX_FILE_NAME, LOGO_PATH, BRANDING_CSS, LOGO_WIDTH, LOGO_HEIGHT, \
     SHOW_REPO_DOWNLOAD_BUTTON, SITE_ROOT, ENABLE_GUEST_INVITATION, \
     FAVICON_PATH, APPLE_TOUCH_ICON_PATH, THUMBNAIL_SIZE_FOR_ORIGINAL, \
     MEDIA_ROOT, SHOW_LOGOUT_ICON, CUSTOM_LOGO_PATH, CUSTOM_FAVICON_PATH, \
@@ -48,6 +48,7 @@ except ImportError:
     ENABLE_FILE_SCAN = False
 from seahub.work_weixin.settings import ENABLE_WORK_WEIXIN
 from seahub.weixin.settings import ENABLE_WEIXIN
+from seahub.dingtalk.settings import ENABLE_DINGTALK
 
 try:
     from seahub.settings import SIDE_NAV_FOOTER_CUSTOM_HTML
@@ -131,6 +132,8 @@ def base(request):
         'site_name': get_site_name(),
         'enable_signup': config.ENABLE_SIGNUP,
         'enable_weixin': ENABLE_WEIXIN,
+        'enable_work_weixin': ENABLE_WORK_WEIXIN,
+        'enable_dingtalk': ENABLE_DINGTALK,
         'max_file_name': MAX_FILE_NAME,
         'has_file_search': HAS_FILE_SEARCH,
         'show_repo_download_button': SHOW_REPO_DOWNLOAD_BUTTON,
@@ -162,7 +165,6 @@ def base(request):
         'enable_resumable_fileupload': dj_settings.ENABLE_RESUMABLE_FILEUPLOAD,
         'service_url': get_service_url().rstrip('/'),
         'enable_file_scan': ENABLE_FILE_SCAN,
-        'enable_work_weixin': ENABLE_WORK_WEIXIN,
         'avatar_url': avatar_url if avatar_url else '',
         'privacy_policy_link': PRIVACY_POLICY_LINK,
         'terms_of_service_link': TERMS_OF_SERVICE_LINK,

seahub/dingtalk/settings.py

@@ -1,9 +1,10 @@
 import seahub.settings as settings
+from seahub.utils import is_pro_version
 
 # constants
 DINGTALK_PROVIDER = 'dingtalk'
 
-ENABLE_DINGTALK = getattr(settings, 'ENABLE_DINGTALK', False)
+ENABLE_DINGTALK = getattr(settings, 'ENABLE_DINGTALK', False) and is_pro_version()
 DINGTALK_AGENT_ID = getattr(settings, 'DINGTALK_AGENT_ID', '')
 
 # for 10.0 or later

seahub/templates/registration/login.html

@@ -81,16 +81,31 @@ html, body, #wrapper { height:100%; }
     <button id="multi_adfs_sso" class="btn btn-secondary btn-block">{% trans "Single Sign-On" %}</button>
     {% endif %}
 
-    {% if enable_weixin %}
+    {% if enable_weixin or enable_work_weixin or enable_dingtalk %}
     <div class="text-center">
       <div class="mt-5 mb-4 d-flex align-items-center">
         <span class="login-with-wechat-deco flex-fill"></span>
         <span id="login-with-wechat" class="mx-2">{% trans "Login with" %}</span>
         <span class="login-with-wechat-deco flex-fill"></span>
       </div>
-      <a href="{% url "weixin_oauth_login" %}">
-        <img src="{{MEDIA_URL}}img/weixin.png" width="32" alt="" title="{% if LANGUAGE_CODE == 'zh-cn' %}微信{% else %}WeChat{% endif %}" />
-      </a>
+
+      {% if enable_weixin %}
+        <a href="{% url "weixin_oauth_login" %}">
+          <img src="{{MEDIA_URL}}img/weixin.png" width="32" alt="" title="{% if LANGUAGE_CODE == 'zh-cn' %}微信{% else %}WeChat{% endif %}" />
+        </a>
+      {% endif %}
+
+      {% if enable_work_weixin %}
+        <a href="{% url "work_weixin_sso" %}">
+          <img src="{{MEDIA_URL}}img/work-weixin.png" width="32" alt="" title="{% if LANGUAGE_CODE == 'zh-cn' %}企业微信{% else %}Work-WeChat{% endif %}" />
+        </a>
+      {% endif %}
+
+      {% if enable_dingtalk %}
+        <a href="{% url "dingtalk_sso" %}">
+          <img src="{{MEDIA_URL}}img/dingtalk.png" width="32" alt="" title="{% if LANGUAGE_CODE == 'zh-cn' %}钉钉{% else %}DingTalk{% endif %}" />
+        </a>
+      {% endif %}
     </div>
     {% endif %}
 

seahub/urls.py

@@ -209,6 +209,8 @@ urlpatterns = [
     path('mobile-login/', mobile_login, name="mobile_login"),
 
     path('sso/', sso, name='sso'),
+    path('work-weixin-sso/', work_weixin_sso, name='work_weixin_sso'),
+    path('dingtalk-sso/', dingtalk_sso, name='dingtalk_sso'),
     path('jwt-sso/', jwt_sso, name='jwt_sso'),
     re_path(r'^shib-login/', shib_login, name="shib_login"),
     path('oauth/', include('seahub.oauth.urls')),

seahub/views/sso.py

@@ -21,6 +21,8 @@ from seahub.utils import render_permission_error, render_error
 from seahub.api2.utils import get_token_v1, get_token_v2
 from seahub.settings import CLIENT_SSO_VIA_LOCAL_BROWSER, CLIENT_SSO_TOKEN_EXPIRATION, LOGIN_URL
 from seahub.base.models import ClientSSOToken
+from seahub.work_weixin.settings import ENABLE_WORK_WEIXIN
+from seahub.dingtalk.settings import ENABLE_DINGTALK
 
 # Get an instance of a logger
 logger = logging.getLogger(__name__)
@@ -48,25 +50,59 @@ def sso(request):
         return HttpResponseRedirect(next_page)
 
     # send next page back to other views
-    next_param = '?%s=' % REDIRECT_FIELD_NAME + quote(next_page)
+    next_param = f'?{REDIRECT_FIELD_NAME}={quote(next_page)}'
     if getattr(settings, 'ENABLE_ADFS_LOGIN', False):
         return HttpResponseRedirect(reverse('saml2_login') + next_param)
 
     if getattr(settings, 'ENABLE_OAUTH', False):
         return HttpResponseRedirect(reverse('oauth_login') + next_param)
 
-    if getattr(settings, 'ENABLE_DINGTALK', False):
-        return HttpResponseRedirect(reverse('dingtalk_login') + next_param)
-
     if getattr(settings, 'ENABLE_CAS', False):
         return HttpResponseRedirect(reverse('cas_ng_login') + next_param)
 
-    if getattr(settings, 'ENABLE_WORK_WEIXIN', False):
-        return HttpResponseRedirect(reverse('work_weixin_oauth_login') + next_param)
-
     return HttpResponseRedirect(next_page)
 
 
+def work_weixin_sso(request):
+
+    if not ENABLE_WORK_WEIXIN:
+        error_msg = _('Work weixin sso feature is not enabled')
+        return render_error(request, error_msg)
+
+    request.session['is_sso_user'] = True
+
+    # Ensure the user-originating redirection url is safe.
+    if REDIRECT_FIELD_NAME in request.GET:
+        next_page = request.GET[REDIRECT_FIELD_NAME]
+        if not url_has_allowed_host_and_scheme(url=next_page, allowed_hosts=request.get_host()):
+            next_page = settings.LOGIN_REDIRECT_URL
+    else:
+        next_page = reverse('libraries')
+
+    next_param = f'?{REDIRECT_FIELD_NAME}={quote(next_page)}'
+    return HttpResponseRedirect(reverse('work_weixin_oauth_login') + next_param)
+
+
+def dingtalk_sso(request):
+
+    if not ENABLE_DINGTALK:
+        error_msg = _('Dingtalk sso feature is not enabled')
+        return render_error(request, error_msg)
+
+    request.session['is_sso_user'] = True
+
+    # Ensure the user-originating redirection url is safe.
+    if REDIRECT_FIELD_NAME in request.GET:
+        next_page = request.GET[REDIRECT_FIELD_NAME]
+        if not url_has_allowed_host_and_scheme(url=next_page, allowed_hosts=request.get_host()):
+            next_page = settings.LOGIN_REDIRECT_URL
+    else:
+        next_page = reverse('libraries')
+
+    next_param = f'?{REDIRECT_FIELD_NAME}={quote(next_page)}'
+    return HttpResponseRedirect(reverse('dingtalk_login') + next_param)
+
+
 def jwt_sso(request):
 
     ENABLE_JWT_SSO = getattr(settings, 'ENABLE_JWT_SSO', False)

seahub/work_weixin/settings.py

@@ -1,9 +1,10 @@
 # Copyright (c) 2012-2019 Seafile Ltd.
 # encoding: utf-8
 from django.conf import settings
+from seahub.utils import is_pro_version
 
 # # work weixin base
-ENABLE_WORK_WEIXIN = getattr(settings, 'ENABLE_WORK_WEIXIN', False)
+ENABLE_WORK_WEIXIN = getattr(settings, 'ENABLE_WORK_WEIXIN', False) and is_pro_version()
 WORK_WEIXIN_CORP_ID = getattr(settings, 'WORK_WEIXIN_CORP_ID', '')
 WORK_WEIXIN_AGENT_SECRET = getattr(settings, 'WORK_WEIXIN_AGENT_SECRET', '')
 WORK_WEIXIN_ACCESS_TOKEN_URL = getattr(settings, 'WORK_WEIXIN_ACCESS_TOKEN_URL',