From 28661b0d9c5608798e26d2e4b23dd71176ca8e22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=90=91=E4=B9=90=F0=9F=8C=8C?= Date: Thu, 20 May 2021 13:11:55 +0800 Subject: [PATCH] dynamic create crypto_key when django running --- pwdselfservice/__init__.py | 3 +++ resetpwd/utils.py | 34 +++++++++++++++++++++++----------- resetpwd/views.py | 38 +++++++++++++++----------------------- utils/crypto.py | 14 +------------- 4 files changed, 42 insertions(+), 47 deletions(-) diff --git a/pwdselfservice/__init__.py b/pwdselfservice/__init__.py index 0844292..c739e70 100644 --- a/pwdselfservice/__init__.py +++ b/pwdselfservice/__init__.py @@ -5,6 +5,7 @@ from django_redis import get_redis_connection from utils.storage.memorystorage import MemoryStorage from utils.storage.kvstorage import KvStorage +from cryptography.fernet import Fernet try: redis_conn = get_redis_connection() @@ -18,3 +19,5 @@ except Exception as e: print("如果确定需要使用Redis作为缓存,请排查Redis配置,错误信息如下:") print("Redis Exception: {}".format(e)) + +crypto_key = Fernet.generate_key() diff --git a/resetpwd/utils.py b/resetpwd/utils.py index 7580d5d..965cfde 100644 --- a/resetpwd/utils.py +++ b/resetpwd/utils.py @@ -7,10 +7,12 @@ # @Date: 2021/5/20 8:47 from django.shortcuts import render +from django.http import HttpResponseRedirect import logging from utils.crypto import Crypto -from pwdselfservice.local_settings import CRYPTO_KEY +from pwdselfservice.local_settings import TMPID_COOKIE_AGE from django.conf import settings +from pwdselfservice import crypto_key logger = logging.getLogger('django') @@ -36,13 +38,13 @@ def code_2_user_id(ops, request, msg_template, home_url, code): return user_id, user_info -def tmpid_2_user_info(ops, request, msg_template, home_url, scan_app_tag): +def crypto_id_2_user_info(ops, request, msg_template, home_url, scan_app_tag): try: - tmpid_crypto = request.COOKIES.get('tmpid') + crypto_tmp_id = request.COOKIES.get('tmpid') except Exception as e: - tmpid_crypto = None + crypto_tmp_id = None logger.error('[异常] :%s' % str(e)) - if not tmpid_crypto: + if not crypto_tmp_id: logger.error('[异常] 请求方法:%s,请求路径:%s,未能拿到TmpID或会话己超时。' % (request.method, request.path)) context = { 'msg': "会话己超时,请重新扫码验证用户信息。", @@ -51,8 +53,8 @@ def tmpid_2_user_info(ops, request, msg_template, home_url, scan_app_tag): } return render(request, msg_template, context) # 解密 - crypto = Crypto(CRYPTO_KEY) - user_id = crypto.decrypt(tmpid_crypto) + crypto = Crypto(crypto_key) + user_id = crypto.decrypt(crypto_tmp_id) # 通过user_id拿到用户的邮箱,并格式化为username userid_status, user_info = ops.get_user_detail_by_user_id(user_id) if not userid_status: @@ -66,9 +68,19 @@ def tmpid_2_user_info(ops, request, msg_template, home_url, scan_app_tag): return user_info -def tmpid_2_user_id(request, msg_template, home_url): +def crypto_user_id_2_cookie(user_id): + crypto = Crypto(crypto_key) + # 对user_id进行加密,因为user_id基本上固定不变的,为了防止user_id泄露而导致重复使用,进行加密后再传回。 + _id_cryto = crypto.encrypt(user_id) + # 配置cookie,通过cookie把加密后的用户user_id传到重置密码页面,并重定向到重置密码页面。 + set_cookie = HttpResponseRedirect('resetPassword') + set_cookie.set_cookie('tmpid', _id_cryto, expires=TMPID_COOKIE_AGE) + return set_cookie + + +def crypto_id_2_user_id(request, msg_template, home_url): try: - tmpid_crypto = request.COOKIES.get('tmpid') + crypto_tmp_id = request.COOKIES.get('tmpid') except Exception as e: logger.error('[异常] :%s' % str(e)) logger.error('[异常] 请求方法:%s,请求路径:%s,未能拿到TmpID或会话己超时。' % (request.method, request.path)) @@ -79,8 +91,8 @@ def tmpid_2_user_id(request, msg_template, home_url): } return render(request, msg_template, context) # 解密 - crypto = Crypto(CRYPTO_KEY) - return crypto.decrypt(tmpid_crypto) + crypto = Crypto(crypto_key) + return crypto.decrypt(crypto_tmp_id) def ops_account(ad_ops, request, msg_template, home_url, username, new_password): diff --git a/resetpwd/views.py b/resetpwd/views.py index aed107f..e9b2463 100644 --- a/resetpwd/views.py +++ b/resetpwd/views.py @@ -2,13 +2,13 @@ import logging from django.http import HttpResponseRedirect from django.shortcuts import render -from pwdselfservice.local_settings import SCAN_CODE_TYPE, DING_MO_APP_ID, WEWORK_CORP_ID, WEWORK_AGENT_ID, HOME_URL, CRYPTO_KEY, TMPID_COOKIE_AGE +from pwdselfservice.local_settings import SCAN_CODE_TYPE, DING_MO_APP_ID, WEWORK_CORP_ID, WEWORK_AGENT_ID, HOME_URL, TMPID_COOKIE_AGE from utils.ad_ops import AdOps from utils.crypto import Crypto from utils.format_username import format2username, get_user_is_active from .form import CheckForm -from .utils import code_2_user_id, tmpid_2_user_info, ops_account, tmpid_2_user_id +from .utils import code_2_user_id, crypto_id_2_user_info, ops_account, crypto_id_2_user_id, crypto_user_id_2_cookie msg_template = 'messages.html' logger = logging.getLogger('django') @@ -33,9 +33,10 @@ scan_params = PARAMS() _ops = scan_params.ops try: ad_ops = AdOps() + print("初始化Active Directory连接成功...") except Exception as e: ad_ops = None - print("初始化Active Directory连接失败") + print("初始化Active Directory连接失败...") print(str(e)) @@ -105,18 +106,17 @@ def callback_check(request): logger.info('[成功] 请求方法:%s,请求路径:%s,CODE:%s' % (request.method, request.path, code)) else: logger.error('[异常] 请求方法:%s,请求路径:%s,未能拿到CODE。' % (request.method, request.path)) - + context = { + 'msg': "错误,临时授权码己失效,请从主页重新扫码验证。", + 'button_click': "window.location.href='%s'" % home_url, + 'button_display': "返回主页" + } + return render(request, msg_template, context) try: user_id, user_info = code_2_user_id(_ops, request, msg_template, home_url, code) # 账号是否是激活的 if get_user_is_active(user_info): - crypto = Crypto(CRYPTO_KEY) - # 对user_id进行加密,因为user_id基本上固定不变的,为了防止user_id泄露而导致重复使用,进行加密后再传回。 - _id_cryto = crypto.encrypt(user_id) - # 配置cookie,通过cookie把加密后的用户user_id传到重置密码页面,并重定向到重置密码页面。 - set_cookie = HttpResponseRedirect('resetPassword') - set_cookie.set_cookie('tmpid', _id_cryto, expires=TMPID_COOKIE_AGE) - return set_cookie + return crypto_user_id_2_cookie(user_id) else: context = { 'msg': '[%s]在钉钉中未激活或可能己离职' % format2username(user_info.get('name')), @@ -124,14 +124,6 @@ def callback_check(request): 'button_display': "返回主页" } return render(request, msg_template, context) - except KeyError: - context = { - 'msg': "错误,临时授权码己失效,请从主页重新扫码验证。", - 'button_click': "window.location.href='%s'" % home_url, - 'button_display': "返回主页" - } - logger.error('[异常] :%s' % str(KeyError)) - return render(request, msg_template, context) except Exception as callback_e: context = { 'msg': "错误[%s],请与管理员联系." % str(callback_e), @@ -151,7 +143,7 @@ def reset_pwd_by_callback(request): home_url = '%s://%s' % (request.scheme, HOME_URL) # 从cookie中提取union_id,并解密,然后对当前union_id的用户进行重置密码 if request.method == 'GET': - user_id = tmpid_2_user_id(request, msg_template, home_url) + user_id = crypto_id_2_user_id(request, msg_template, home_url) userid_status, user_info = _ops.get_user_detail_by_user_id(user_id) if not userid_status: context = { @@ -179,7 +171,7 @@ def reset_pwd_by_callback(request): # 重置密码页面,输入新密码后点击提交 elif request.method == 'POST': _new_password = request.POST.get('new_password').strip() - user_info = tmpid_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP) + user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP) username = format2username(user_info.get('email')) return ops_account(ad_ops, request, msg_template, home_url, username, _new_password) else: @@ -199,7 +191,7 @@ def unlock_account(request): """ home_url = '%s://%s' % (request.scheme, HOME_URL) if request.method == 'GET': - user_info = tmpid_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP) + user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP) username = format2username(user_info.get('email')) context = { 'username': username, @@ -207,7 +199,7 @@ def unlock_account(request): return render(request, 'resetPassword.html', context) elif request.method == 'POST': - user_info = tmpid_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP) + user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP) username = format2username(user_info.get('email')) return ops_account(ad_ops, request, msg_template, home_url, username, None) else: diff --git a/utils/crypto.py b/utils/crypto.py index 1118c9d..c0e386e 100644 --- a/utils/crypto.py +++ b/utils/crypto.py @@ -1,11 +1,4 @@ -import os -import random - -try: - from cryptography.fernet import Fernet -except ImportError: - os.system('pip3 install cryptography') - from cryptography.fernet import Fernet +from cryptography.fernet import Fernet class Crypto(object): @@ -22,8 +15,3 @@ class Crypto(object): def decrypt(self, token): string = self.factory.decrypt(bytes(token.encode('utf-8'))).decode('utf-8') return string - - -if __name__ == '__main__': - key = Fernet.generate_key() - print(key)