Client sso via local browser (#5627)

* client sso via local browser * improve code * optimize code * fix code * optimize code * update server-info api * fix test * fix sso.py * replace email with username
2025-09-19 10:26:17 +00:00 · 2023-12-19 15:50:02 +08:00
parent 048d0aac2c
commit 843482bd07
13 changed files with 339 additions and 5 deletions
--- a/seahub/api2/endpoints/sso/init.py
+++ b/seahub/api2/endpoints/sso/init.py
--- a/seahub/api2/endpoints/sso/client_sso_link.py
+++ b/seahub/api2/endpoints/sso/client_sso_link.py
@@ -0,0 +1,63 @@
+# -*- coding: utf-8 -*-
+import logging
+from rest_framework import status
+from rest_framework.views import APIView
+from rest_framework.reverse import reverse
+from rest_framework.response import Response
+from django.db import transaction
+from django.shortcuts import get_object_or_404
+from django.utils import timezone
+
+from seahub.api2.throttling import AnonRateThrottle
+from seahub.base.models import ClientSSOToken, STATUS_ERROR
+from seahub.utils import get_service_url, gen_token
+from seahub.api2.utils import api_error
+from seahub.settings import CLIENT_SSO_TOKEN_EXPIRATION
+
+logger = logging.getLogger(__name__)
+
+
+class ClientSSOLink(APIView):
+    throttle_classes = (AnonRateThrottle, )
+
+    def get(self, request, token):
+        # query SSO status
+        t = get_object_or_404(ClientSSOToken, token=token)
+        if not t.is_success():
+            logger.error('{} client sso login status: not success status.'.format(token))
+            return Response({'status': t.status})
+
+        if not t.accessed_at:
+            logger.error('{} client sso login error: no accessed_at info.'.format(token))
+            return Response({'status': STATUS_ERROR})
+
+        interval = (timezone.now() - t.accessed_at).total_seconds()
+        if int(interval) >= CLIENT_SSO_TOKEN_EXPIRATION:
+            logger.error('{} client sso login error: login timeout.'.format(token))
+            return Response({'status': STATUS_ERROR})
+
+        return Response({
+            'status': t.status,
+            'username': t.username,
+            'apiToken': t.api_key
+        })
+
+    def post(self, request):
+        # create SSO link
+        token = gen_token(30) + gen_token(30)
+        transaction.set_autocommit(False)
+        try:
+            t = ClientSSOToken(token=token)
+            t.save()
+            transaction.commit()
+        except Exception as e:
+            logger.error(e)
+            transaction.rollback()
+            return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, 'Internal Server Error')
+        finally:
+            transaction.set_autocommit(True)
+
+        return Response({
+            'link': get_service_url().rstrip('/') + reverse(
+                'client_sso', args=[t.token])
+        })
--- a/seahub/api2/urls.py
+++ b/seahub/api2/urls.py
@@ -15,6 +15,7 @@ from .endpoints.file_comments_counts import FileCommentsCounts
 from .endpoints.search_user import SearchUser
 from .endpoints.send_share_link_email import SendShareLinkView
 from .endpoints.send_upload_link_email import SendUploadLinkView
+from .endpoints.sso.client_sso_link import ClientSSOLink

 urlpatterns = [
    path('ping/', Ping.as_view()),
@@ -115,3 +116,10 @@ if HAS_OFFICE_CONVERTER:
    urlpatterns += [
        re_path(r'^office-convert/generate/repos/(?P<repo_id>[-0-9-a-f]{36})/$', OfficeGenerateView.as_view()),
    ]
+
+from seahub.settings import CLIENT_SSO_VIA_LOCAL_BROWSER
+if CLIENT_SSO_VIA_LOCAL_BROWSER:
+    urlpatterns += [
+        path('client-sso-link/', ClientSSOLink.as_view()),
+        re_path(r'^client-sso-link/(?P<token>[^/]+)/$', ClientSSOLink.as_view()),
+    ]
--- a/seahub/api2/views_misc.py
+++ b/seahub/api2/views_misc.py
@@ -31,6 +31,9 @@ class ServerInfoView(APIView):
        if config.DISABLE_SYNC_WITH_ANY_FOLDER:
            features.append('disable-sync-with-any-folder')

+        if config.CLIENT_SSO_VIA_LOCAL_BROWSER:
+            features.append('client-sso-via-local-browser')
+
        if hasattr(settings, 'DESKTOP_CUSTOM_LOGO'):
            info['desktop-custom-logo'] = settings.MEDIA_URL + getattr(settings, 'DESKTOP_CUSTOM_LOGO')

--- a/seahub/base/models.py
+++ b/seahub/base/models.py
@@ -9,7 +9,7 @@ from pysearpc import SearpcError
 from seaserv import seafile_api

 from seahub.auth.signals import user_logged_in
-from seahub.utils import within_time_range, \
+from seahub.utils import within_time_range, gen_token, \
        normalize_file_path, normalize_dir_path
 from seahub.utils.timeutils import datetime_to_isoformat_timestr
 from seahub.tags.models import FileUUIDMap
@@ -395,3 +395,59 @@ class UserMonitoredRepos(models.Model):

    class Meta:
        unique_together = [["email", "repo_id"]]
+
+
+STATUS_WAITING = 'waiting'
+STATUS_SUCCESS = 'success'
+STATUS_ERROR = 'error'
+
+
+class ClientSSOTokenManager(models.Manager):
+    def new(self):
+        o = self.model()
+        o.save(using=self._db)
+        return o
+
+
+class ClientSSOToken(models.Model):
+    STATUS_CHOICES = (
+        (STATUS_WAITING, 'waiting'),
+        (STATUS_SUCCESS, 'success'),
+        (STATUS_ERROR, 'error'),
+    )
+
+    token = models.CharField(max_length=100, unique=True)
+    username = LowerCaseCharField(max_length=255, db_index=True, blank=True, null=True)
+    status = models.CharField(max_length=10, default=STATUS_WAITING, choices=STATUS_CHOICES)
+    api_key = models.CharField(max_length=40, blank=True, null=True)
+    created_at = models.DateTimeField(db_index=True, auto_now_add=True)
+    updated_at = models.DateTimeField(db_index=True, blank=True, null=True)
+    accessed_at = models.DateTimeField(db_index=True, blank=True, null=True)
+    objects = ClientSSOTokenManager()
+
+    def gen_token(self):
+        return gen_token(30) + gen_token(30)
+
+    def is_waiting(self):
+        return self.status == STATUS_WAITING
+
+    def is_success(self):
+        return self.status == STATUS_SUCCESS
+
+    def completed(self, username, api_key):
+        assert self.is_waiting() is True
+
+        self.username = username
+        self.api_key = api_key
+        self.status = STATUS_SUCCESS
+        self.updated_at = timezone.now()
+        self.save()
+
+    def accessed(self):
+        self.accessed_at = timezone.now()
+        self.save()
+
+    def save(self, *args, **kwargs):
+        if not self.token:
+            self.token = self.gen_token()
+        return super(ClientSSOToken, self).save(*args, **kwargs)
--- a/seahub/settings.py
+++ b/seahub/settings.py
@@ -762,6 +762,10 @@ ENABLE_SSO_TO_THIRDPART_WEBSITE = False
 THIRDPART_WEBSITE_SECRET_KEY = ''
 THIRDPART_WEBSITE_URL = ''

+# client sso
+CLIENT_SSO_VIA_LOCAL_BROWSER = False
+CLIENT_SSO_TOKEN_EXPIRATION = 5 * 60
+
 #####################
 # Global AddressBook #
 #####################
@@ -989,6 +993,9 @@ CONSTANCE_CONFIG = {

    'ENABLE_TERMS_AND_CONDITIONS': (ENABLE_TERMS_AND_CONDITIONS, ''),
    'ENABLE_USER_CLEAN_TRASH': (ENABLE_USER_CLEAN_TRASH, ''),
+
+    'CLIENT_SSO_VIA_LOCAL_BROWSER': (CLIENT_SSO_VIA_LOCAL_BROWSER, ''),
+    'CLIENT_SSO_TOKEN_EXPIRATION': (CLIENT_SSO_TOKEN_EXPIRATION, ''),
 }

 # if Seafile admin enable remote user authentication in conf/seahub_settings.py
--- a/seahub/templates/client_login_confirm.html
+++ b/seahub/templates/client_login_confirm.html
@@ -0,0 +1,20 @@
+{% extends "base.html" %}
+{% load i18n %}
+
+{% block extra_style %}
+<link rel="stylesheet" type="text/css" href="{{ MEDIA_URL }}css/bootstrap.popover.min.css" />
+{% endblock %}
+
+{% block main_content %}
+<div class="new-narrow-panel">
+    <h2 class="hd">{% trans "Client Login Confirm" %}</h2>
+    <form action="" method="post" class="con">{% csrf_token %}
+    <label>{% trans "Do you want to login to your client?" %}</label><br />
+    <input type="submit" value="{% trans "Yes" %}" class="submit" />
+  </form>
+</div>
+{% endblock %}
+
+{% block extra_script %}
+<script type="text/javascript" src="{{MEDIA_URL}}js/bootstrap.min.js"></script>
+{% endblock %}
--- a/seahub/urls.py
+++ b/seahub/urls.py
@@ -972,3 +972,9 @@ if settings.ENABLE_SEAFILE_AI:
        re_path(r'^api/v2.1/ai/library-index-state/$', LibraryIndexState.as_view(), name='api-v2.1-ai-library-index-state'),
        re_path(r'^api/v2.1/ai/repo/file-download-token/$', FileDownloadToken.as_view(), name='api-v2.1-ai-repo-file-download-token'),
    ]
+
+if getattr(settings, 'CLIENT_SSO_VIA_LOCAL_BROWSER', False):
+    urlpatterns += [
+        re_path(r'^client-sso/(?P<token>[^/]+)/$', client_sso, name="client_sso"),
+        re_path(r'^client-sso/(?P<token>[^/]+)/complete/$', client_sso_complete, name="client_sso_complete"),
+    ]
--- a/seahub/views/sso.py
+++ b/seahub/views/sso.py
@@ -1,17 +1,29 @@
 # Copyright (c) 2012-2016 Seafile Ltd.
+# -*- coding: utf-8 -*-
 import jwt
 import time
+import logging

 from django.conf import settings
 from django.urls import reverse
 from django.http import HttpResponseRedirect
 from urllib.parse import quote
 from django.utils.http import url_has_allowed_host_and_scheme
+from django.utils import timezone
+from django.utils.translation import gettext as _
+from django.shortcuts import get_object_or_404, render
+from django.views.decorators.csrf import csrf_protect

 from seahub.base.templatetags.seahub_tags import email2nickname
-
 from seahub.auth import REDIRECT_FIELD_NAME
-from seahub.utils import render_error
+from seahub.auth.decorators import login_required
+from seahub.utils import render_permission_error, render_error
+from seahub.api2.utils import get_token_v1, get_token_v2
+from seahub.settings import CLIENT_SSO_VIA_LOCAL_BROWSER, CLIENT_SSO_TOKEN_EXPIRATION, LOGIN_URL
+from seahub.base.models import ClientSSOToken
+
+# Get an instance of a logger
+logger = logging.getLogger(__name__)


 def sso(request):
@@ -106,3 +118,84 @@ def shib_login(request):
        return HttpResponseRedirect(reverse('multi_adfs_sso') + params)

    return HttpResponseRedirect(reverse('sso') + params)
+
+
+def client_sso(request, token):
+    if not CLIENT_SSO_VIA_LOCAL_BROWSER:
+        return render_error(request, 'Feature is not enabled.')
+
+    t = get_object_or_404(ClientSSOToken, token=token)
+    if not t.accessed_at:
+        t.accessed()
+    else:
+        error_msg = _('This link has already been visited, please click the login button on the client again')
+        return render_error(request, error_msg)
+
+    next_page = reverse('client_sso_complete', args=[token, ])
+
+    # client platform args used to create api v2 token
+    req_qs = request.META['QUERY_STRING']
+    if req_qs:
+        next_page = next_page + '?' + req_qs
+
+    # light security check
+    if not url_has_allowed_host_and_scheme(url=next_page, allowed_hosts=request.get_host()):
+        logger.error('%s is not safe url.' % next_page)
+        next_page = reverse('client_sso_complete', args=[token, ])
+
+    redirect_url = LOGIN_URL + '?next=' + quote(next_page)
+    return HttpResponseRedirect(redirect_url)
+
+
+@csrf_protect
+@login_required
+def client_sso_complete(request, token):
+
+    t = get_object_or_404(ClientSSOToken, token=token)
+    if not t.accessed_at:
+        error_msg = _('Invalid link, please click the login button on the client again')
+        return render_error(request, error_msg)
+
+    interval = (timezone.now() - t.accessed_at).total_seconds()
+    if int(interval) >= CLIENT_SSO_TOKEN_EXPIRATION:
+        error_msg = _('Login timeout, please click the login button on the client again')
+        return render_error(request, error_msg)
+
+    if request.method == "GET":
+
+        template_name = 'client_login_confirm.html'
+        return render(request, template_name, {})
+
+    elif request.method == "POST":
+
+        username = request.user.username
+
+        if t.is_waiting():
+            # generate tokenv2 using information in request params
+            keys = (
+                'platform',
+                'device_id',
+                'device_name',
+                'client_version',
+                'platform_version',
+            )
+            if all(['shib_' + key in request.GET for key in keys]):
+                platform = request.GET['shib_platform']
+                device_id = request.GET['shib_device_id']
+                device_name = request.GET['shib_device_name']
+                client_version = request.GET['shib_client_version']
+                platform_version = request.GET['shib_platform_version']
+                api_token = get_token_v2(
+                    request, username, platform, device_id,
+                    device_name, client_version, platform_version)
+            elif all(['shib_' + key not in request.GET for key in keys]):
+                api_token = get_token_v1(username)
+
+            t.completed(username=username, api_key=api_token.key)
+            logger.info('Client SSO success, token: %s, user: %s' % (token, username))
+        else:
+            logger.warning('Client SSO token is not waiting, skip.')
+
+        return HttpResponseRedirect(reverse('libraries'))
+    else:
+        return render_permission_error(request, _('Permission denied.'))
--- a/tests/api/endpoints/sso/init.py
+++ b/tests/api/endpoints/sso/init.py
--- a/tests/api/endpoints/sso/test_client_sso_link.py
+++ b/tests/api/endpoints/sso/test_client_sso_link.py
@@ -0,0 +1,48 @@
+import json
+
+from django.test import TransactionTestCase
+from django.urls import path, re_path
+
+from seahub.base.models import ClientSSOToken
+from seahub.test_utils import Fixtures
+from seahub.api2.urls import urlpatterns as api2_urls
+from seahub.api2.endpoints.sso.client_sso_link import ClientSSOLink
+from seahub.urls import urlpatterns
+from seahub.views.sso import client_sso
+
+urlpatterns += [
+    re_path(r'^client-sso/(?P<token>[^/]+)/$', client_sso, name="client_sso"),
+]
+
+api2_urls += [
+    path('client-sso-link/', ClientSSOLink.as_view()),
+    re_path(r'^client-sso-link/(?P<token>[^/]+)/$', ClientSSOLink.as_view()),
+]
+
+
+class ClientSSOLinkTest(TransactionTestCase, Fixtures):
+
+    def test_create(self):
+        resp = self.client.post('/api2/client-sso-link/')
+        self.assertEqual(resp.status_code, 200)
+
+        json_resp = json.loads(resp.content)
+        assert json_resp['link'] is not None
+
+    def test_query_status(self):
+        t = ClientSSOToken.objects.new()
+        url = '/api2/client-sso-link/%s/' % t.token
+
+        resp = self.client.get(url)
+        self.assertEqual(resp.status_code, 200)
+        json_resp = json.loads(resp.content)
+        assert json_resp['status'] == 'waiting'
+
+        t.accessed()
+        t.completed(username=self.user.username, api_key='xxx')
+
+        resp = self.client.get(url)
+        json_resp = json.loads(resp.content)
+        assert json_resp['status'] == 'success'
+        assert json_resp['username'] == self.user.username
+        assert json_resp['apiToken'] == 'xxx'
--- a/tests/seahub/base/test_models.py
+++ b/tests/seahub/base/test_models.py
@@ -1,6 +1,6 @@
 import hashlib

-from seahub.base.models import FileComment
+from seahub.base.models import FileComment, ClientSSOToken
 from seahub.test_utils import BaseTestCase
 from seahub.tags.models import FileUUIDMap

@@ -89,3 +89,11 @@ class FileCommentTest(BaseTestCase):
                    comment='test comment').save()

        assert len(FileComment.objects.all()) == 1
+
+
+class ClientSSOTokenManagerTest(BaseTestCase):
+    def test_new(self):
+        t = ClientSSOToken.objects.new()
+        assert len(t.token) == 60
+        assert t.created_at is not None
+        assert t.api_key is None
--- a/tests/seahub/views/test_sso.py
+++ b/tests/seahub/views/test_sso.py
@@ -1,10 +1,17 @@
 from django.conf import settings
 from django.urls import reverse
 from django.test import override_settings
+from django.urls import re_path
 from urllib.parse import quote

+from seahub.base.models import ClientSSOToken
 from seahub.test_utils import BaseTestCase
-from seahub.views.sso import sso
+from seahub.views.sso import sso, client_sso_complete
+from seahub.urls import urlpatterns
+
+urlpatterns += [
+    re_path(r'^client-sso/(?P<token>[^/]+)/complete/$', client_sso_complete, name="client_sso_complete"),
+]


 class SSOTest(BaseTestCase):
@@ -22,3 +29,18 @@ class SSOTest(BaseTestCase):

        resp = self.client.get(self.url + '?next=' + quote('http://testserver\@example.com'))
        self.assertRegex(resp['Location'], settings.LOGIN_REDIRECT_URL)
+
+    def test_client_sso_complete(self):
+        self.login_as(self.user)
+
+        t = ClientSSOToken.objects.new()
+        assert t.api_key is None
+        assert t.username is None
+
+        t.accessed()
+        resp = self.client.post('/client-sso/%s/complete/' % t.token)
+        self.assertEqual(resp.status_code, 302)
+
+        t2 = ClientSSOToken.objects.get(token=t.token)
+        assert t2.api_key is not None
+        assert t2.username == self.user.username