[Update] 修改MFA

bb1349e9 · ibuler · c9ee8ede · bb1349e9 · bb1349e9 · bb1349e9
Commit bb1349e9 authored Nov 18, 2019 by ibuler
11 changed files
--- a/apps/authentication/api/mfa.py
+++ b/apps/authentication/api/mfa.py
@@ -24,7 +24,7 @@ class MFAChallengeApi(AuthMixin, CreateAPIView):
        try:
            user = self.get_user_from_session()
            code = serializer.validated_data.get('code')
-            valid = user.check_otp(code)
+            valid = user.check_mfa(code)
            if not valid:
                self.request.session['auth_mfa'] = ''
                raise errors.MFAFailedError(
@@ -52,7 +52,7 @@ class UserOtpVerifyApi(CreateAPIView):
        serializer.is_valid(raise_exception=True)
        code = serializer.validated_data["code"]

-        if request.user.check_otp(code):
+        if request.user.check_mfa(code):
            request.session["MFA_VERIFY_TIME"] = int(time.time())
            return Response({"ok": "1"})
        else:

--- a/apps/authentication/backends/radius.py
+++ b/apps/authentication/backends/radius.py
@@ -27,23 +27,6 @@ class CreateUserMixin:
            user.save()
        return user

-    def _get_auth_packet(self, username, password, client):
-        """
-        Get the pyrad authentication packet for the username/password and the
-        given pyrad client.
-        """
-        pkt = client.CreateAuthPacket(code=AccessRequest,
-                                      User_Name=username)
-        if settings.CONFIG.RADIUS_ENCRYPT_PASSWORD:
-            password = pkt.PwCrypt(password)
-        else:
-            password = password
-        pkt["User-Password"] = password
-        pkt["NAS-Identifier"] = 'django-radius'
-        for key, val in list(getattr(settings, 'RADIUS_ATTRIBUTES', {}).items()):
-            pkt[key] = val
-        return pkt
-

 class RadiusBackend(CreateUserMixin, RADIUSBackend):
    pass

--- a/apps/authentication/errors.py
+++ b/apps/authentication/errors.py
@@ -109,8 +109,7 @@ class CredentialError(AuthFailedNeedLogMixin, AuthFailedNeedBlockMixin, AuthFail


 class MFAFailedError(AuthFailedNeedLogMixin, AuthFailedError):
-    reason = reason_mfa_failed
-    error = 'mfa_failed'
+    error = reason_mfa_failed
    msg = mfa_failed_msg

    def __init__(self, username, request):

--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@@ -97,7 +97,7 @@ class AuthMixin:

    def check_user_mfa(self, code):
        user = self.get_user_from_session()
-        ok = user.check_otp(code)
+        ok = user.check_mfa(code)
        if ok:
            self.request.session['auth_mfa'] = 1
            self.request.session['auth_mfa_time'] = time.time()

--- a/apps/authentication/models.py
+++ b/apps/authentication/models.py
@@ -50,7 +50,7 @@ class LoginConfirmSetting(CommonModelMixin):

    def create_confirm_ticket(self, request=None):
        from tickets.models import Ticket
-        title = '[' + __('Login confirm') + ']: {}'.format(self.user)
+        title = _('Login confirm') + '{}'.format(self.user)
        if request:
            remote_addr = get_request_ip(request)
            city = get_ip_city(remote_addr)

--- a/apps/authentication/views/mfa.py
+++ b/apps/authentication/views/mfa.py
@@ -20,6 +20,6 @@ class UserLoginOtpView(mixins.AuthMixin, FormView):
            self.check_user_mfa(otp_code)
            return redirect_to_guard_view()
        except errors.MFAFailedError as e:
-            form.add_error('otp_code', e.reason)
+            form.add_error('otp_code', e.msg)
            return super().form_invalid(form)

--- a/apps/users/api/user.py
+++ b/apps/users/api/user.py
@@ -172,8 +172,8 @@ class UserResetOTPApi(UserQuerysetMixin, generics.RetrieveAPIView):
        if user == request.user:
            msg = _("Could not reset self otp, use profile reset instead")
            return Response({"error": msg}, status=401)
-        if user.mfa_enabled and user.otp_secret_key:
-            user.otp_secret_key = ''
+        if user.mfa_enabled:
+            user.reset_mfa()
            user.save()
            logout(request)
        return Response({"msg": "success"})
--- a/apps/users/forms.py
+++ b/apps/users/forms.py
@@ -158,8 +158,8 @@ class UserUpdateForm(UserCreateUpdateFormMixin):


 class UserProfileForm(forms.ModelForm):
-    username = forms.CharField(disabled=True)
-    name = forms.CharField(disabled=True)
+    username = forms.CharField(disabled=True, label=_("Username"))
+    name = forms.CharField(disabled=True, label=_("Name"))
    email = forms.CharField(disabled=True)

    class Meta:

--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -375,13 +375,17 @@ class MFAMixin:
        self.mfa_level = 0
        self.otp_secret_key = None

+    def reset_mfa(self):
+        if self.mfa_is_otp():
+            self.otp_secret_key = ''
+
    @staticmethod
    def mfa_is_otp():
        if settings.CONFIG.OTP_IN_RADIUS:
            return False
        return True

-    def check_otp_on_radius(self, code):
+    def check_radius(self, code):
        from authentication.backends.radius import RadiusBackend
        backend = RadiusBackend()
        user = backend.authenticate(None, username=self.username, password=code)
@@ -391,13 +395,17 @@ class MFAMixin:

    def check_otp(self, code):
        from ..utils import check_otp_code
+        return check_otp_code(self.otp_secret_key, code)
+
+    def check_mfa(self, code):
        if settings.CONFIG.OTP_IN_RADIUS:
-            return self.check_otp_on_radius(code)
+            return self.check_radius(code)
        else:
-            return check_otp_code(self.otp_secret_key, code)
+            return self.check_otp(code)

    def mfa_enabled_but_not_set(self):
-        if self.mfa_enabled and self.mfa_is_otp() and not self.otp_secret_key:
+        if self.mfa_enabled and \
+                self.mfa_is_otp() and not self.otp_secret_key:
            return True
        return False


--- a/apps/users/templates/users/user_detail.html
+++ b/apps/users/templates/users/user_detail.html
@@ -7,7 +7,6 @@
    <link href="{% static "css/plugins/sweetalert/sweetalert.css" %}" rel="stylesheet">
    <script src="{% static 'js/plugins/select2/select2.full.min.js' %}"></script>
    <script src="{% static "js/plugins/sweetalert/sweetalert.min.js" %}"></script>
-    <script src="{% static "js/vue.min.js" %}"></script>
 {% endblock %}
 {% block content %}
    <div class="wrapper wrapper-content animated fadeInRight">
@@ -158,8 +157,9 @@
                                            </span></td>
                                        </tr>
                                        <tr>
-                                          <td>{% trans 'Force enabled MFA' %}:</td>
-                                            <td><span class="pull-right">
+                                            <td>{% trans 'Force enabled MFA' %}:</td>
+                                            <td>
+                                                <span class="pull-right">
                                                <div class="switch">
                                                    <div class="onoffswitch">
                                                        <input type="checkbox" class="onoffswitch-checkbox" {% if user_object.mfa_force_enabled %} checked {% endif %}
@@ -170,7 +170,8 @@
                                                        </label>
                                                    </div>
                                                </div>
-                                            </span></td>
+                                                </span>
+                                            </td>
                                        </tr>
                                        <tr>
                                            <td>{% trans 'Reset MFA' %}:</td>

--- a/apps/users/templates/users/user_profile.html
+++ b/apps/users/templates/users/user_profile.html
@@ -158,7 +158,7 @@
                                            <span class="pull-right">
                                                <a type="button" class="btn btn-primary btn-xs" style="width: 54px" id=""
                                                   href="
-                                                        {% if request.user.mfa_enabled and request.user.otp_secret_key %}
+                                                        {% if request.user.mfa_enabled %}
                                                            {% if request.user.mfa_force_enabled %}
                                                                " disabled >{% trans 'Disable' %}
                                                            {% else %}
@@ -183,7 +183,7 @@
                                        </td>
                                    </tr>
                                    {% endif %}
-                                    {% if request.user.mfa_enabled and request.user.otp_secret_key %}
+                                    {% if request.user.mfa_enabled %}
                                    <tr>
                                        <td>{% trans 'Update MFA' %}:</td>
                                        <td>