mirror of
https://github.com/capricornxl/ad-password-self-service.git
synced 2025-08-11 16:20:10 +08:00
### 2021/05/19 -- 更新:
+ 添加了企业微信支持,修改pwdselfservice/local_settings.py中的SCAN_CODE_TYPE = 'DING'或SCAN_CODE_TYPE = 'WEWORK',区分使用哪个应用扫码验证 + 添加Reids缓存Token支持,如果不配置Redis则使用MemoryStorage缓存到内存中
This commit is contained in:
向乐🌌
@@ -1,40 +1,51 @@
|
||||
import logging
|
||||
import sys
|
||||
|
||||
from django.http import *
|
||||
from django.shortcuts import render
|
||||
from pwdselfservice.local_settings import SCAN_CODE_TYPE, DING_MO_APP_ID, WEWORK_CORP_ID, WEWORK_AGENT_ID, HOME_URL, CRYPTO_KEY, TMPID_COOKIE_AGE
|
||||
|
||||
from utils.ad_ops import *
|
||||
from utils.ad_ops import AdOps
|
||||
from utils.crypto import Crypto
|
||||
from utils.dingding_ops import *
|
||||
from utils.format_username import format2username
|
||||
from utils.format_username import format2username, get_user_is_active
|
||||
from .form import CheckForm
|
||||
|
||||
msg_template = 'messages.html'
|
||||
logger = logging.getLogger('django')
|
||||
|
||||
try:
|
||||
ad_ops = AdOps()
|
||||
except Exception as e:
|
||||
print(e)
|
||||
sys.exit(1)
|
||||
try:
|
||||
ding_ops = DingDingOps()
|
||||
except Exception as e:
|
||||
print(e)
|
||||
sys.exit(1)
|
||||
|
||||
class PARAMS(object):
|
||||
if SCAN_CODE_TYPE == 'DING':
|
||||
app_id = DING_MO_APP_ID
|
||||
agent_id = None
|
||||
SCAN_APP = '钉钉'
|
||||
from utils.dingding_ops import DingDingOps
|
||||
ops = DingDingOps()
|
||||
elif SCAN_CODE_TYPE == 'WEWORK':
|
||||
app_id = WEWORK_CORP_ID
|
||||
agent_id = WEWORK_AGENT_ID
|
||||
SCAN_APP = '微信'
|
||||
from utils.wework_ops import WeWorkOps
|
||||
ops = WeWorkOps()
|
||||
|
||||
|
||||
scan_params = PARAMS()
|
||||
_ops = scan_params.ops
|
||||
ad_ops = AdOps()
|
||||
|
||||
|
||||
def index(request):
|
||||
"""
|
||||
用户自行修改密码
|
||||
用户自行修改密码/首页
|
||||
:param request:
|
||||
:return:
|
||||
"""
|
||||
home_url = '%s://%s' % (request.scheme, HOME_URL)
|
||||
app_id = DING_MO_APP_ID
|
||||
if request.method == 'GET':
|
||||
return render(request, 'index.html', locals())
|
||||
app_id = scan_params.app_id
|
||||
agent_id = scan_params.agent_id
|
||||
if request.method == 'GET' and SCAN_CODE_TYPE == 'DING':
|
||||
return render(request, 'ding_index.html', locals())
|
||||
elif request.method == 'GET' and SCAN_CODE_TYPE == 'WEWORK':
|
||||
return render(request, 'we_index.html', locals())
|
||||
else:
|
||||
logger.error('[异常] 请求方法:%s,请求路径:%s' % (request.method, request.path))
|
||||
|
||||
@@ -68,8 +79,9 @@ def index(request):
|
||||
return render(request, msg_template, context)
|
||||
|
||||
# 514 66050是AD中账号被禁用的特定代码,这个可以在微软官网查到。
|
||||
# 可能不是太准确
|
||||
if ad_ops.ad_get_user_status_by_account(username) == 514 or ad_ops.ad_get_user_status_by_account(username) == 66050:
|
||||
# 可能不是太准确,如果使用者能确定还有其它状态码,可以自行在此处添加
|
||||
account_code = ad_ops.ad_get_user_status_by_account(username)
|
||||
if account_code == 514 or account_code == 66050:
|
||||
context = {
|
||||
'msg': "此账号状态为己禁用,请联系HR确认账号是否正确。",
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
@@ -87,7 +99,7 @@ def index(request):
|
||||
return render(request, msg_template, context)
|
||||
else:
|
||||
context = {
|
||||
'msg': "密码未修改成功,原因:{}" .format(reset_result),
|
||||
'msg': "密码未修改成功,原因:{}".format(reset_result),
|
||||
'button_click': "window.history.back()",
|
||||
'button_display': "返回"
|
||||
}
|
||||
@@ -113,65 +125,57 @@ def callback_check(request):
|
||||
logger.info('[成功] 请求方法:%s,请求路径:%s,CODE:%s' % (request.method, request.path, code))
|
||||
else:
|
||||
logger.error('[异常] 请求方法:%s,请求路径:%s,未能拿到CODE。' % (request.method, request.path))
|
||||
|
||||
try:
|
||||
union_status, union_id = ding_ops.ding_get_union_id_by_code(code)
|
||||
# 判断 union_id 在本企业钉钉中是否存在
|
||||
if not union_status:
|
||||
logger.error('[异常] 请求方法:%s,请求路径:%s,未能拿到union_id。' % (request.method, request.path))
|
||||
_status, user_id = _ops.get_user_id_by_code(code)
|
||||
# 判断 user_id 在本企业钉钉/微信中是否存在
|
||||
if not _status:
|
||||
context = {
|
||||
'msg': '未能在企业钉钉中检索到用户信息,错误信息:{}' .format(union_id),
|
||||
'msg': '获取钉钉userid失败,错误信息:{}'.format(user_id),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
userid_status, user_result = ding_ops.ding_get_userid_by_union_id(union_id)
|
||||
if not userid_status:
|
||||
context = {
|
||||
'msg': '获取钉钉userid失败,错误信息:{}'.format(user_result),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
detail_status, ding_user_info = ding_ops.ding_get_userinfo_detail(user_result)
|
||||
detail_status, user_info = _ops.get_user_detail_by_user_id(user_id)
|
||||
if not detail_status:
|
||||
context = {
|
||||
'msg': '获取钉钉用户信息失败,错误信息:{}'.format(ding_user_info),
|
||||
'msg': '获取钉钉用户信息失败,错误信息:{}'.format(user_info),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
# 钉钉中此账号是否可用
|
||||
if ding_user_info['active']:
|
||||
# 账号是否是激活的
|
||||
if get_user_is_active(user_info):
|
||||
crypto = Crypto(CRYPTO_KEY)
|
||||
# 对union_id进行加密,因为union_id基本上固定不变的,为了防止union_id泄露而导致重复使用,进行加密后再传回。
|
||||
union_id_cryto = crypto.encrypt(union_id)
|
||||
# 配置cookie,通过cookie把加密后的用户union_id传到重置密码页面,并重定向到重置密码页面。
|
||||
# 对user_id进行加密,因为user_id基本上固定不变的,为了防止user_id泄露而导致重复使用,进行加密后再传回。
|
||||
_id_cryto = crypto.encrypt(user_id)
|
||||
# 配置cookie,通过cookie把加密后的用户user_id传到重置密码页面,并重定向到重置密码页面。
|
||||
set_cookie = HttpResponseRedirect('resetPassword')
|
||||
set_cookie.set_cookie('tmpid', union_id_cryto, expires=TMPID_COOKIE_AGE)
|
||||
set_cookie.set_cookie('tmpid', _id_cryto, expires=TMPID_COOKIE_AGE)
|
||||
return set_cookie
|
||||
else:
|
||||
context = {
|
||||
'msg': '[%s]在钉钉中未激活或可能己离职' % format2username(ding_user_info['name']),
|
||||
'msg': '[%s]在钉钉中未激活或可能己离职' % format2username(user_info.get('name')),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
except KeyError:
|
||||
context = {
|
||||
'msg': "错误,钉钉临时Code己失效,请从主页重新扫码。",
|
||||
'msg': "错误,临时授权码己失效,请从主页重新扫码验证。",
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
logger.error('[异常] :%s' % str(KeyError))
|
||||
return render(request, msg_template, context)
|
||||
|
||||
except Exception as e:
|
||||
except Exception as callback_e:
|
||||
context = {
|
||||
'msg': "错误[%s],请与管理员联系." % str(e),
|
||||
'msg': "错误[%s],请与管理员联系." % str(callback_e),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
logger.error('[异常] :%s' % str(e))
|
||||
logger.error('[异常] :%s' % str(callback_e))
|
||||
return render(request, msg_template, context)
|
||||
|
||||
|
||||
@@ -181,17 +185,17 @@ def reset_pwd_by_ding_callback(request):
|
||||
:param request:
|
||||
:return:
|
||||
"""
|
||||
global union_id_crypto
|
||||
global tmpid_crypto
|
||||
home_url = '%s://%s' % (request.scheme, HOME_URL)
|
||||
# 从cookie中提取union_id,并解密,然后对当前union_id的用户进行重置密码
|
||||
if request.method == 'GET':
|
||||
try:
|
||||
union_id_crypto = request.COOKIES.get('tmpid')
|
||||
tmpid_crypto = request.COOKIES.get('tmpid')
|
||||
except Exception as e:
|
||||
union_id_crypto = None
|
||||
tmpid_crypto = None
|
||||
logger.error('[异常] :%s' % str(e))
|
||||
if not union_id_crypto:
|
||||
logger.error('[异常] 请求方法:%s,请求路径:%s,未能拿到CODE或CODE己超时。' % (request.method, request.path))
|
||||
if not tmpid_crypto:
|
||||
logger.error('[异常] 请求方法:%s,请求路径:%s,未能拿到TmpID或会话己超时。' % (request.method, request.path))
|
||||
context = {
|
||||
'msg': "会话己超时,请重新扫码验证用户信息。",
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
@@ -200,35 +204,27 @@ def reset_pwd_by_ding_callback(request):
|
||||
return render(request, msg_template, context)
|
||||
# 解密
|
||||
crypto = Crypto(CRYPTO_KEY)
|
||||
union_id = crypto.decrypt(union_id_crypto)
|
||||
# 通过union_id在钉钉中拿到用户的邮箱,并格式化为username
|
||||
userid_status, user_result = ding_ops.ding_get_userid_by_union_id(union_id)
|
||||
user_id = crypto.decrypt(tmpid_crypto)
|
||||
# 通过user_id拿到用户的邮箱,并格式化为username
|
||||
userid_status, user_result = _ops.get_user_detail_by_user_id(user_id)
|
||||
if not userid_status:
|
||||
context = {
|
||||
'msg': '获取钉钉userid失败,错误信息:{}'.format(user_result),
|
||||
'msg': '获取{}用户信息失败,错误信息:{}'.format(user_result, scan_params.SCAN_APP),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
detail_status, ding_user_info = ding_ops.ding_get_userinfo_detail(user_result)
|
||||
if not detail_status:
|
||||
context = {
|
||||
'msg': '获取钉钉用户信息失败,错误信息:{}'.format(ding_user_info),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
username = format2username(ding_user_info['email'])
|
||||
# 如果邮箱在钉钉中能提取到,则格式化之后,提取出账号提交到前端绑定
|
||||
username = format2username(user_result['email'])
|
||||
# 如果邮箱能提取到,则格式化之后,提取出账号提交到前端绑定
|
||||
if username:
|
||||
context = {
|
||||
'username': username,
|
||||
}
|
||||
return render(request, 'resetPassword.html', context)
|
||||
# 否则就是钉钉中此用户未配置邮箱,返回相关提示
|
||||
# 否则就是用户未配置邮箱,返回相关提示
|
||||
else:
|
||||
context = {
|
||||
'msg': "%s,您好,企业钉钉中未能找到您账号的邮箱配置,请联系HR完善信息。" % ding_user_info['name'],
|
||||
'msg': "{},您好,企业{}中未能找到您账号的邮箱配置,请联系HR完善信息。" .format(user_result.get('name'), scan_params.SCAN_APP),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
@@ -238,11 +234,11 @@ def reset_pwd_by_ding_callback(request):
|
||||
elif request.method == 'POST':
|
||||
_new_password = request.POST.get('new_password').strip()
|
||||
try:
|
||||
union_id_crypto = request.COOKIES.get('tmpid')
|
||||
tmpid_crypto = request.COOKIES.get('tmpid')
|
||||
except Exception as e:
|
||||
union_id_crypto = None
|
||||
tmpid_crypto = None
|
||||
logger.error('[异常] :%s' % str(e))
|
||||
if not union_id_crypto:
|
||||
if not tmpid_crypto:
|
||||
logger.error('[异常] 请求方法:%s,请求路径:%s,未能拿到CODE或CODE己超时。' % (request.method, request.path))
|
||||
context = {
|
||||
'msg': "会话己超时,请重新扫码验证用户信息。",
|
||||
@@ -251,24 +247,16 @@ def reset_pwd_by_ding_callback(request):
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
crypto = Crypto(CRYPTO_KEY)
|
||||
union_id = crypto.decrypt(union_id_crypto)
|
||||
userid_status, user_result = ding_ops.ding_get_userid_by_union_id(union_id)
|
||||
user_id = crypto.decrypt(tmpid_crypto)
|
||||
userid_status, user_result = _ops.get_user_detail_by_user_id(user_id)
|
||||
if not userid_status:
|
||||
context = {
|
||||
'msg': '获取钉钉userid失败,错误信息:{}'.format(user_result),
|
||||
'msg': '获取企业{}用户信息失败,错误信息:{}'.format(scan_params.SCAN_APP, user_result),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
detail_status, ding_user_info = ding_ops.ding_get_userinfo_detail(user_result)
|
||||
if not detail_status:
|
||||
context = {
|
||||
'msg': '获取钉钉用户信息失败,错误信息:{}'.format(ding_user_info),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
username = format2username(ding_user_info['email'])
|
||||
username = format2username(user_result['email'])
|
||||
if ad_ops.ad_ensure_user_by_account(username) is False:
|
||||
context = {
|
||||
'msg': "账号[%s]在AD中不存在,请确认当前钉钉扫码账号绑定的邮箱是否和您正在使用的邮箱一致?或者该账号己被禁用!\n猜测:您的账号或邮箱是否是带有数字或其它字母区分?" % username,
|
||||
@@ -276,7 +264,11 @@ def reset_pwd_by_ding_callback(request):
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
if ad_ops.ad_get_user_status_by_account(username) == 514 or ad_ops.ad_get_user_status_by_account(username) == 66050:
|
||||
|
||||
# 514 66050是AD中账号被禁用的特定代码,这个可以在微软官网查到。
|
||||
# 可能不是太准确,如果使用者能确定还有其它状态码,可以自行在此处添加
|
||||
account_code = ad_ops.ad_get_user_status_by_account(username)
|
||||
if account_code == 514 or account_code == 66050:
|
||||
context = {
|
||||
'msg': "此账号状态为己禁用,请联系HR确认账号是否正确。",
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
@@ -297,7 +289,7 @@ def reset_pwd_by_ding_callback(request):
|
||||
return render(request, msg_template, context)
|
||||
else:
|
||||
context = {
|
||||
'msg': "密码未重置成功,错误信息:{}" .format(result),
|
||||
'msg': "密码未重置成功,错误信息:{}".format(result),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
@@ -328,24 +320,16 @@ def unlock_account(request):
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
crypto = Crypto(CRYPTO_KEY)
|
||||
union_id = crypto.decrypt(_union_id_crypto)
|
||||
userid_status, user_result = ding_ops.ding_get_userid_by_union_id(union_id)
|
||||
user_id = crypto.decrypt(_union_id_crypto)
|
||||
userid_status, user_info = _ops.get_user_detail_by_user_id(user_id)
|
||||
if not userid_status:
|
||||
context = {
|
||||
'msg': '获取钉钉userid失败,错误信息:{}'.format(user_result),
|
||||
'msg': '获取{}用户信息失败,错误信息:{}'.format(scan_params.SCAN_APP, user_info),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
detail_status, ding_user_info = ding_ops.ding_get_userinfo_detail(user_result)
|
||||
if not detail_status:
|
||||
context = {
|
||||
'msg': '获取钉钉用户信息失败,错误信息:{}'.format(ding_user_info),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
username = format2username(ding_user_info['email'])
|
||||
username = format2username(user_info['email'])
|
||||
context = {
|
||||
'username': username,
|
||||
}
|
||||
@@ -361,24 +345,16 @@ def unlock_account(request):
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
crypto = Crypto(CRYPTO_KEY)
|
||||
union_id = crypto.decrypt(_union_id_crypto)
|
||||
userid_status, user_result = ding_ops.ding_get_userid_by_union_id(union_id)
|
||||
user_id = crypto.decrypt(_union_id_crypto)
|
||||
userid_status, user_info = _ops.get_user_detail_by_user_id(user_id)
|
||||
if not userid_status:
|
||||
context = {
|
||||
'msg': '获取钉钉userid失败,错误信息:{}'.format(user_result),
|
||||
'msg': '获取{}用户信息失败,错误信息:{}'.format(scan_params.SCAN_APP, user_info),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
detail_status, ding_user_info = ding_ops.ding_get_userinfo_detail(user_result)
|
||||
if not detail_status:
|
||||
context = {
|
||||
'msg': '获取钉钉用户信息失败,错误信息:{}'.format(ding_user_info),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
return render(request, msg_template, context)
|
||||
username = format2username(ding_user_info['email'])
|
||||
username = format2username(user_info['email'])
|
||||
if ad_ops.ad_ensure_user_by_account(username=username) is False:
|
||||
context = {
|
||||
'msg': "账号[%s]在AD中未能正确检索到,请确认当前钉钉扫码账号绑定的邮箱是否和您正在使用的邮箱一致?或者该账号己被禁用!\n猜测:您的账号或邮箱是否是带有数字或其它字母区分?" %
|
||||
@@ -398,7 +374,7 @@ def unlock_account(request):
|
||||
return render(request, msg_template, context)
|
||||
else:
|
||||
context = {
|
||||
'msg': "账号未能解锁,错误信息:{}" .format(result),
|
||||
'msg': "账号未能解锁,错误信息:{}".format(result),
|
||||
'button_click': "window.location.href='%s'" % home_url,
|
||||
'button_display': "返回主页"
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user