7x31/ad-password-self-service
1
0
Fork 0
mirror of https://github.com/capricornxl/ad-password-self-service.git synced 2025-08-11 16:20:10 +08:00
Code Issues Packages Projects Releases Wiki Activity

修改钉钉/企业微信直接使用内部应用免密登录的方式来验证,不再支持扫码。

Browse Source 
由于一些API的权限发生变化,导致一些关键信息无法获取,所以做以上改变。
This commit is contained in:
Leven
2022-12-16 23:28:19 +08:00
parent 6b90cd3be7
commit 2e886dc6e8
95 changed files with 267 additions and 10253 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
resetpwd/utils.py
View File

@@ -24,7 +24,7 @@ else:
logger = logging.getLogger('django')
def code_2_user_info(ops, home_url, code):
def code_2_user_detail(ops, home_url, code):
"""
临时授权码换取userinfo
"""
@@ -65,7 +65,7 @@ def crypto_id_2_user_info(ops, request, msg_template, home_url, scan_app_tag):
if not crypto_tmp_id:
logger.error('[异常] 请求方法:%s,请求路径:%s未能拿到TmpID或会话己超时。' % (request.method, request.path))
context = {
'msg': "会话己超时,请重新扫码验证用户信息。",
'msg': "会话己超时,请重新验证用户信息。",
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}

182
resetpwd/views.py
View File

@@ -4,40 +4,41 @@ import os
from django.shortcuts import render
from utils.ad_ops import AdOps
from ldap3.core.exceptions import LDAPException
from utils.format_username import format2username, get_user_is_active
import urllib.parse as url_encode
from utils.format_username import format2username, get_user_is_active, get_email_from_userinfo
from .form import CheckForm
from .utils import code_2_user_info, crypto_id_2_user_info, ops_account, crypto_id_2_user_id, crypto_user_id_2_cookie
from .utils import code_2_user_detail, crypto_id_2_user_info, ops_account
from django.conf import settings
APP_ENV = os.getenv('APP_ENV')
if APP_ENV == 'dev':
from conf.local_settings_dev import SCAN_CODE_TYPE, DING_MO_APP_ID, WEWORK_CORP_ID, WEWORK_AGENT_ID, HOME_URL, DING_CORP_ID
from conf.local_settings_dev import AUTH_CODE_TYPE, DING_MO_APP_ID, WEWORK_CORP_ID, WEWORK_AGENT_ID, HOME_URL, DING_CORP_ID
else:
from conf.local_settings import SCAN_CODE_TYPE, DING_MO_APP_ID, WEWORK_CORP_ID, WEWORK_AGENT_ID, HOME_URL, DING_CORP_ID
from conf.local_settings import AUTH_CODE_TYPE, DING_MO_APP_ID, WEWORK_CORP_ID, WEWORK_AGENT_ID, HOME_URL, DING_CORP_ID
msg_template = 'messages.v1.html'
logger = logging.getLogger('django')
class PARAMS(object):
if SCAN_CODE_TYPE == 'DING':
if AUTH_CODE_TYPE == 'DING':
corp_id = DING_CORP_ID
app_id = DING_MO_APP_ID
agent_id = None
SCAN_APP = '钉钉'
AUTH_APP = '钉钉'
from utils.dingding_ops import DingDingOps
ops = DingDingOps()
elif SCAN_CODE_TYPE == 'WEWORK':
elif AUTH_CODE_TYPE == 'WEWORK':
corp_id = None
app_id = WEWORK_CORP_ID
agent_id = WEWORK_AGENT_ID
SCAN_APP = '微信'
AUTH_APP = '微信'
from utils.wework_ops import WeWorkOps
ops = WeWorkOps()
else:
corp_id = None
app_id = WEWORK_CORP_ID
agent_id = WEWORK_AGENT_ID
SCAN_APP = '微信'
AUTH_APP = '微信'
from utils.wework_ops import WeWorkOps
ops = WeWorkOps()
@@ -49,20 +50,20 @@ _ops = scan_params.ops
def index(request):
"""
用户自行修改密码/首页
:param request:
:return:
"""
home_url = '%s://%s' % (request.scheme, HOME_URL)
corp_id = scan_params.corp_id
app_id = scan_params.app_id
agent_id = scan_params.agent_id
scan_app = scan_params.SCAN_APP
scan_app = scan_params.AUTH_APP
unsecpwd = settings.UN_SEC_PASSWORD
if request.method == 'GET' and SCAN_CODE_TYPE == 'DING':
return render(request, 'ding_index.html', locals())
elif request.method == 'GET' and SCAN_CODE_TYPE == 'WEWORK':
redirect_url = url_encode.quote(home_url + '/resetPassword')
if request.method == 'GET' and AUTH_CODE_TYPE == 'DING':
return render(request, 'ding_index.v1.html', locals())
elif request.method == 'GET' and AUTH_CODE_TYPE == 'WEWORK':
return render(request, 'we_index.v1.html', locals())
elif request.method == 'GET' and SCAN_CODE_TYPE == 'FEISHU':
elif request.method == 'GET' and AUTH_CODE_TYPE == 'FEISHU':
return render(request, 'index.v1.html', locals())
else:
logger.error('[异常] 请求方法:%s,请求路径%s' % (request.method, request.path))
@@ -115,53 +116,7 @@ def index(request):
return render(request, msg_template, context)
def callback_check(request):
"""
扫码回调数据之后将用户账号在AD中进行验证如果通过则返回钉钉中取出用户的union_id
:param request:
:return:
"""
home_url = '%s://%s' % (request.scheme, HOME_URL)
code = request.GET.get('code')
if code:
logger.info('[成功] 请求方法:%s,请求路径:%sCODE%s' % (request.method, request.path, code))
else:
logger.error('[异常] 请求方法:%s,请求路径:%s未能拿到CODE。' % (request.method, request.path))
context = {
'msg': "错误,临时授权码己失效,请从主页重新扫码验证。",
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
print('code ----- ', code)
try:
_status, user_id, user_info = code_2_user_info(_ops, home_url, code)
if not _status:
return render(request, msg_template, user_id)
# 账号是否是激活的
if get_user_is_active(user_info):
return crypto_user_id_2_cookie(user_id)
# 否则账号不存在或未激活
else:
context = {
'msg': '当前扫码的用户未激活或可能己离职,用户信息如下:%s' % user_info,
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
except Exception as callback_e:
context = {
'msg': "错误[%s],请与管理员联系." % str(callback_e),
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
logger.error('[异常] %s' % str(callback_e))
return render(request, msg_template, context)
def reset_pwd_by_callback(request):
def reset_password(request):
"""
钉钉扫码并验证信息通过之后,在重置密码页面将用户账号进行绑定
:param request:
@@ -170,12 +125,52 @@ def reset_pwd_by_callback(request):
home_url = '%s://%s' % (request.scheme, HOME_URL)
# 从cookie中提取union_id并解密然后对当前union_id的用户进行重置密码
if request.method == 'GET':
_status, user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP)
if not _status:
return render(request, msg_template, user_info)
# 通过user_id拿到用户信息并格式化为username
# 格式化用户名
_, username = format2username(user_info.get('email'))
code = request.GET.get('code')
if code:
logger.info('[成功] 请求方法:%s,请求路径:%sCode%s' % (request.method, request.path, code))
else:
logger.error('[异常] 请求方法:%s,请求路径:%s未能拿到Code。' % (request.method, request.path))
context = {
'msg': "错误,临时授权码己失效,请从主页重新开始登录授权..",
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
try:
_status, user_id, user_info = code_2_user_detail(_ops, home_url, code)
if not _status:
return render(request, msg_template, user_id)
# 账号是否是激活的
_, res = get_user_is_active(user_info)
if not _:
# 否则账号不存在或未激活
context = {
'msg': '当前扫码的用户未激活或可能己离职,用户信息如下:%s' % user_info,
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
except Exception as callback_e:
context = {
'msg': "错误[%s],请与管理员联系." % str(callback_e),
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
logger.error('[异常] %s' % str(callback_e))
return render(request, msg_template, context)
# 通过user_info拿到用户信息并格式化为username
_, email = get_email_from_userinfo(user_info)
if not _:
context = {
'msg': email,
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
_, username = format2username(email)
if _ is False:
context = {
'msg': username,
@@ -183,6 +178,7 @@ def reset_pwd_by_callback(request):
'button_display': "返回主页"
}
return render(request, msg_template, context)
# 如果邮箱能提取到,则格式化之后,提取出账号提交到前端绑定
if username:
context = {
@@ -191,7 +187,7 @@ def reset_pwd_by_callback(request):
return render(request, 'resetPassword.v1.html', context)
else:
context = {
'msg': "{},您好,企业{}中未能找到您账号的邮箱配置请联系HR完善信息。".format(user_info.get('name'), scan_params.SCAN_APP),
'msg': "{},您好,企业{}中未能找到您账号的邮箱配置请联系HR完善信息。".format(user_info.get('name'), scan_params.AUTH_APP),
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
@@ -201,11 +197,22 @@ def reset_pwd_by_callback(request):
elif request.method == 'POST':
try:
_new_password = request.POST.get('new_password').strip()
_status, user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP)
_status, user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.AUTH_APP)
if not _status:
return render(request, msg_template, user_info)
# 通过user_info拿到用户信息并格式化为username
_, email = get_email_from_userinfo(user_info)
if not _:
context = {
'msg': email,
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
# 格式化用户名
_, username = format2username(user_info.get('email'))
_, username = format2username(email)
if _ is False:
context = {
'msg': username,
@@ -239,11 +246,21 @@ def unlock_account(request):
"""
home_url = '%s://%s' % (request.scheme, HOME_URL)
if request.method == 'GET':
_status, user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP)
_status, user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.AUTH_APP)
if not _status:
return render(request, msg_template, user_info)
# 格式化用户名
_, username = format2username(user_info.get('email'))
# 通过user_info拿到用户信息并格式化为username
_, email = get_email_from_userinfo(user_info)
if not _:
context = {
'msg': email,
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
_, username = format2username(email)
if _ is False:
context = {
'msg': username,
@@ -257,11 +274,22 @@ def unlock_account(request):
return render(request, 'resetPassword.v1.html', context)
elif request.method == 'POST':
_status, user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP)
_status, user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.AUTH_APP)
if not _status:
return render(request, msg_template, user_info)
# 通过user_info拿到用户信息并格式化为username
_, email = get_email_from_userinfo(user_info)
if not _:
context = {
'msg': email,
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
# 格式化用户名
_, username = format2username(user_info.get('email'))
_, username = format2username(email)
if _ is False:
context = {
'msg': username,