diff --git a/conf/local_settings.py b/conf/local_settings.py index 787a85a..58746a1 100644 --- a/conf/local_settings.py +++ b/conf/local_settings.py @@ -1,3 +1,8 @@ + +# ########################################################################## +# 字符串前面的格式编码不要去掉了,主要是为了解决特殊字符被转义的问题。 # +# ########################################################################## + # ########## AD配置,修改为自己的 # AD主机,可以是IP或主机域名,例如可以是: abc.com或172.16.122.1 AD_HOST = r'修改成自己的' diff --git a/readme.md b/readme.md index 618d82d..b703b8f 100644 --- a/readme.md +++ b/readme.md @@ -9,6 +9,11 @@ ### 逻辑: >用户扫码通过之后,通过临时授权码,提取用户的userid,再通过userid断用户在本企业中是否存在。如果存在,提取钉钉/企业微信用户的邮箱,通过邮箱转成账号,将账号拿到AD中进行比对来验证账号在AD中是否存在并账号状态是激活的。满足以上条件的账号就会视为可自行重置密码。 + ## _**所能接受的账号规则**_ +无论是钉钉、微信,均是通过提取用户邮箱的前缀部分来作为关联AD的账号,所以目前的识别逻辑就需要保证邮箱的前缀和AD的登录账号是一致的。 +如果您的场景不是这样,请按自己的需求修改源代码适配。 + + ### 代码提交到--新分支: ``` djaong3 diff --git a/resetpwd/views.py b/resetpwd/views.py index 9fbeb32..603e443 100644 --- a/resetpwd/views.py +++ b/resetpwd/views.py @@ -44,13 +44,6 @@ class PARAMS(object): scan_params = PARAMS() _ops = scan_params.ops -# try: -# AdOps() = AdOps() -# print("初始化Active Directory连接成功...") -# except Exception as e: -# AdOps() = LDAPException("连接域控制器失败,无法访问到LDAP") -# print("初始化Active Directory连接失败...") -# print(str(e)) def index(request): @@ -95,7 +88,14 @@ def index(request): } return render(request, msg_template, context) # 格式化用户名 - username = format2username(username) + _, username = format2username(username) + if _ is False: + context = { + 'msg': username, + 'button_click': "window.location.href='%s'" % home_url, + 'button_display': "返回主页" + } + return render(request, msg_template, context) # 检测账号状态 auth_status, auth_result = AdOps().ad_auth_user(username=username, password=old_password) if not auth_status: @@ -133,17 +133,18 @@ def callback_check(request): 'button_display': "返回主页" } return render(request, msg_template, context) - print("code: {}" .format(code)) try: _status, user_id, user_info = code_2_user_info(_ops, request, msg_template, home_url, code) + print(user_info) if not _status: return render(request, msg_template, user_id) # 账号是否是激活的 if get_user_is_active(user_info): return crypto_user_id_2_cookie(user_id) + # 否则账号不存在或未激活 else: context = { - 'msg': '[%s]在钉钉中未激活或可能己离职' % format2username(user_info.get('name')), + 'msg': '当前扫码的用户在钉钉中未激活或可能己离职,用户信息如下:%s' % user_info, 'button_click': "window.location.href='%s'" % home_url, 'button_display': "返回主页" } @@ -171,7 +172,15 @@ def reset_pwd_by_callback(request): if not _status: return render(request, msg_template, user_info) # 通过user_id拿到用户信息,并格式化为username - username = format2username(user_info.get('email')) + # 格式化用户名 + _, username = format2username(user_info.get('email')) + if _ is False: + context = { + 'msg': username, + 'button_click': "window.location.href='%s'" % home_url, + 'button_display': "返回主页" + } + return render(request, msg_template, context) # 如果邮箱能提取到,则格式化之后,提取出账号提交到前端绑定 if username: context = { @@ -193,7 +202,15 @@ def reset_pwd_by_callback(request): _status, user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP) if not _status: return render(request, msg_template, user_info) - username = format2username(user_info.get('email')) + # 格式化用户名 + _, username = format2username(user_info.get('email')) + if _ is False: + context = { + 'msg': username, + 'button_click': "window.location.href='%s'" % home_url, + 'button_display': "返回主页" + } + return render(request, msg_template, context) return ops_account(ad_ops=AdOps(), request=request, msg_template=msg_template, home_url=home_url, username=username, new_password=_new_password) except Exception as reset_e: context = { @@ -223,7 +240,15 @@ def unlock_account(request): _status, user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP) if not _status: return render(request, msg_template, user_info) - username = format2username(user_info.get('email')) + # 格式化用户名 + _, username = format2username(user_info.get('email')) + if _ is False: + context = { + 'msg': username, + 'button_click': "window.location.href='%s'" % home_url, + 'button_display': "返回主页" + } + return render(request, msg_template, context) context = { 'username': username, } @@ -233,7 +258,15 @@ def unlock_account(request): _status, user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP) if not _status: return render(request, msg_template, user_info) - username = format2username(user_info.get('email')) + # 格式化用户名 + _, username = format2username(user_info.get('email')) + if _ is False: + context = { + 'msg': username, + 'button_click': "window.location.href='%s'" % home_url, + 'button_display': "返回主页" + } + return render(request, msg_template, context) return ops_account(AdOps(), request, msg_template, home_url, username, None) else: context = { diff --git a/utils/format_username.py b/utils/format_username.py index 1256dd3..b76631e 100644 --- a/utils/format_username.py +++ b/utils/format_username.py @@ -20,13 +20,13 @@ def format2username(account): domain_compile = re.compile(r'(.*)\\(.*)') if re.fullmatch(mail_compile, account): - return re.fullmatch(mail_compile, account).group(1) + return True, re.fullmatch(mail_compile, account).group(1) elif re.fullmatch(domain_compile, account): - return re.fullmatch(domain_compile, account).group(2) + return True, re.fullmatch(domain_compile, account).group(2) else: - return account.lower() + return True, account.lower() else: - raise NameError("输入的账号不能为空..") + return False, NameError("{}格式化失败,注意:account用户账号是邮箱或DOMAIN\\username或username格式!".format(account)) def get_user_is_active(user_info):