[Update] 用户第三方认证后，只在创建时修改用户来源信息；修改检验用户有效性逻辑； (#3517)

* [Update] 用户第三方认证后，只在创建时修改用户来源信息 * [Update] 修改检验用户有效性逻辑（解决启用LDAP等认证时，显示用户名不存在） * [Update] 修改检验用户有效性逻辑（解决启用LDAP等认证时，显示用户名不存在）2

[Update] 用户第三方认证后，只在创建时修改用户来源信息；修改检验用户有效性逻辑； (#3517)
* [Update] 用户第三方认证后，只在创建时修改用户来源信息 * [Update] 修改检验用户有效性逻辑（解决启用LDAP等认证时，显示用户名不存在） * [Update] 修改检验用户有效性逻辑（解决启用LDAP等认证时，显示用户名不存在）2
cea336a8 · BaiJiangJie · GitHub · 16864ca3 · cea336a8 · cea336a8
Unverified Commit cea336a8 authored Dec 09, 2019 by BaiJiangJie Committed by GitHub Dec 09, 2019
4 changed files
--- a/apps/authentication/backends/openid/models.py
+++ b/apps/authentication/backends/openid/models.py
@@ -6,7 +6,7 @@ from django.contrib.auth import get_user_model
 from keycloak.realm import KeycloakRealm
 from keycloak.keycloak_openid import KeycloakOpenID

-from .signals import post_create_openid_user
+from .signals import post_create_or_update_openid_user
 from .decorator import ssl_verification

 OIDT_ACCESS_TOKEN = 'oidt_access_token'
@@ -155,7 +155,7 @@ class Client(object):
        """
        userinfo = self.get_userinfo(token=token_response['access_token'])
        with transaction.atomic():
-            user, _ = get_user_model().objects.update_or_create(
+            user, created = get_user_model().objects.update_or_create(
                username=userinfo.get('preferred_username', ''),
                defaults={
                    'email': userinfo.get('email', ''),
@@ -169,7 +169,9 @@ class Client(object):
                refresh_token=token_response['refresh_token'],
            )
            if user:
-                post_create_openid_user.send(sender=user.__class__, user=user)
+                post_create_or_update_openid_user.send(
+                    sender=user.__class__, user=user, created=created
+                )

        return oidt_profile


--- a/apps/authentication/backends/openid/signals.py
+++ b/apps/authentication/backends/openid/signals.py
 from django.dispatch import Signal


-post_create_openid_user = Signal(providing_args=('user',))
+post_create_or_update_openid_user = Signal(providing_args=('user',))
 post_openid_login_success = Signal(providing_args=('user', 'request'))
--- a/apps/authentication/signals_handlers.py
+++ b/apps/authentication/signals_handlers.py
@@ -4,9 +4,10 @@ from django.dispatch import receiver
 from django.contrib.auth.signals import user_logged_out
 from django_auth_ldap.backend import populate_user

+from users.models import User
 from .backends.openid import new_client
 from .backends.openid.signals import (
-    post_create_openid_user, post_openid_login_success
+    post_create_or_update_openid_user, post_openid_login_success
 )
 from .signals import post_auth_success

@@ -29,9 +30,9 @@ def on_user_logged_out(sender, request, user, **kwargs):
    request.COOKIES['next'] = openid_logout_url


-@receiver(post_create_openid_user)
-def on_post_create_openid_user(sender, user=None,  **kwargs):
-    if user and user.username != 'admin':
+@receiver(post_create_or_update_openid_user)
+def on_post_create_or_update_openid_user(sender, user=None,  created=True, **kwargs):
+    if created and user and user.username != 'admin':
        user.source = user.SOURCE_OPENID
        user.save()

@@ -44,8 +45,10 @@ def on_openid_login_success(sender, user=None, request=None, **kwargs):
 @receiver(populate_user)
 def on_ldap_create_user(sender, user, ldap_user, **kwargs):
    if user and user.username not in ['admin']:
-        user.source = user.SOURCE_LDAP
-        user.save()
+        exists = User.objects.filter(username=user.username).exists()
+        if not exists:
+            user.source = user.SOURCE_LDAP
+            user.save()



--- a/apps/authentication/utils.py
+++ b/apps/authentication/utils.py
 # -*- coding: utf-8 -*-
 #
-from django.utils.translation import ugettext as _
 from django.contrib.auth import authenticate

-from common.utils import (
-    get_ip_city, get_object_or_none, validate_ip
-)
-from users.models import User
 from . import errors


 def check_user_valid(**kwargs):
    password = kwargs.pop('password', None)
    public_key = kwargs.pop('public_key', None)
-    email = kwargs.pop('email', None)
    username = kwargs.pop('username', None)
    request = kwargs.get('request')

-    if username:
-        user = get_object_or_none(User, username=username)
-    elif email:
-        user = get_object_or_none(User, email=email)
-    else:
-        user = None
-
-    if user is None:
-        return None, errors.reason_user_not_exist
+    user = authenticate(request, username=username,
+                        password=password, public_key=public_key)
+    if not user:
+        return None, errors.reason_password_failed
    elif user.is_expired:
        return None, errors.reason_user_inactive
    elif not user.is_active:
@@ -33,9 +22,4 @@ def check_user_valid(**kwargs):
    elif user.password_has_expired:
        return None, errors.reason_password_expired

-    if password or public_key:
-        user = authenticate(request, username=username,
-                            password=password, public_key=public_key)
-        if user:
-            return user, ''
-    return None, errors.reason_password_failed
+    return user, ''