7x31
/
ad-password-self-service
mirror of https://github.com/capricornxl/ad-password-self-service.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

修复utils目录自定义模块中的处理逻辑return结果不正确,导致Django无法正常在前台显示结果的BUG

This commit is contained in:
向乐🌌 2021-05-21 13:47:26 +08:00
parent 28661b0d9c
commit 9c8a82417e
17 changed files with 146 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
auto-install.sh
View File

@ -218,7 +218,7 @@ chkconfig uwsgiserver on
echo "处理uwsgiserver启动脚本完成"
echo
sed -i "s@PWD_SELF_SERVICE_DOMAIN@${PWD_SELF_SERVICE_DOMAIN}@g" ${SHELL_FOLDER}/pwdselfservice/local_settings.py
sed -i "s@PWD_SELF_SERVICE_DOMAIN@${PWD_SELF_SERVICE_DOMAIN}@g" ${SHELL_FOLDER}/conf/local_settings.py
##Nginx vhost配置
cat << EOF > /etc/nginx/conf.d/pwdselfservice.conf
@ -250,7 +250,6 @@ echo "Uwsgi停止/etc/init.d/uwsgi stop"
echo "Uwsgi重启/etc/init.d/uwsgi restart"
echo
echo
echo "文件${SHELL_FOLDER}/pwdselfservice/local_setting.py中必要参数需要你自行修改"
echo "此文件中有AD和钉钉的一些参数按自己企业的修改"
echo "文件${SHELL_FOLDER}/conf/local_setting.py中配置参数请自动确认下是否完整"
echo
echo "======================================================================="

7
pwdselfservice/local_settings.py → conf/local_settings.py
View File

@ -55,12 +55,7 @@ WEWORK_AGNET_SECRET = r'修改为自己的'
REDIS_LOCATION = r'redis://127.0.0.1:6379/1'
REDIS_PASSWORD = r'12345678'
# ##########################
# 执行python3 ./utils/crypto.py 生成
# 可自行生成后替换
CRYPTO_KEY = b'dp8U9y7NAhCD3MoNwPzPBhBtTZ1uI_WWSdpNs6wUDgs='
# COOKIE 超时单位是秒,可不用修改
# COOKIE超时时间单位是秒可不用修改
TMPID_COOKIE_AGE = 300
# 主页域名钉钉跳转等需要指定域名格式pwd.abc.com。

1
manage.py
View File

@ -1,7 +1,6 @@
#!/usr/bin/env python
import os
import sys
from utils.ad_ops import AdOps
if __name__ == '__main__':
os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'pwdselfservice.settings')

12
pwdselfservice/__init__.py
View File

@ -1,23 +1,19 @@
import datetime
import time
from django_redis import get_redis_connection
from utils.storage.memorystorage import MemoryStorage
from utils.storage.kvstorage import KvStorage
from cryptography.fernet import Fernet
from django_redis import get_redis_connection
from utils.storage.kvstorage import KvStorage
from utils.storage.memorystorage import MemoryStorage
try:
redis_conn = get_redis_connection()
cache_storage = KvStorage(redis_conn)
cache_storage.set('redis_connection', str(datetime.datetime.now()))
redis_get = cache_storage.get('redis_connection')
print("Redis连接成功set/get测试通过--{}Token缓存将使用Redis处理" .format(redis_get))
# print("Redis连接成功set/get测试通过--{}Token缓存将使用Redis处理".format(redis_get))
except Exception as e:
cache_storage = MemoryStorage()
print("Redis无法连接Token缓存将使用MemoryStorage处理")
print("如果确定需要使用Redis作为缓存请排查Redis配置错误信息如下")
print("Redis Exception: {}".format(e))
crypto_key = Fernet.generate_key()

13
pwdselfservice/settings.py
View File

@ -1,5 +1,13 @@
import os
from pwdselfservice.local_settings import REDIS_PASSWORD, REDIS_LOCATION
APP_ENV = os.getenv('APP_ENV')
if APP_ENV == 'dev':
from conf.local_settings_dev import REDIS_PASSWORD, REDIS_LOCATION
DEBUG = True
else:
from conf.local_settings import REDIS_PASSWORD, REDIS_LOCATION
DEBUG = False
# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
@ -7,9 +15,6 @@ BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'nxnm3#&2tat_c2i6%$y74a)t$(3irh^gpwaleoja1kdv30fmcm'
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True
ALLOWED_HOSTS = ['*']
# 创建日志的路径

4
readme.md
View File

@ -96,7 +96,7 @@ Redis的安装和配置方法请自行百度比较简单
### 把整个项目目录上传到新的服务器上
#### 先修改配置文件,按自己实际的配置修改项目配置文件:
修改pwdselfservice/local_settings.py中的参数按自己的实际参数修改
修改conf/local_settings.py中的参数按自己的实际参数修改
```` python
# ########## AD配置修改为自己的
# AD主机可以是IP或主机域名例如可以是: abc.com或172.16.122.1
@ -188,7 +188,7 @@ chmod +x auto-install.sh
### 按自己实际的配置修改项目配置参数:
修改pwdselfservice/local_settings.py中的参数按自己的实际参数修改
修改conf/local_settings.py中的参数按自己的实际参数修改
```` python
# ########## AD配置修改为自己的

3
requestment
View File

@ -1,4 +1,7 @@
Django==3.2
pycryptodome==3.10.1
attrs==21.2.0
python-dateutil==2.8.1
dingtalk-sdk==1.3.8
cryptography==3.4.7
ldap3==2.9

1
resetpwd/form.py
View File

@ -1,6 +1,5 @@
from django.forms import fields as c_fields
from django import forms as c_forms
from django.core.exceptions import ValidationError
class CheckForm(c_forms.Form):

49
resetpwd/utils.py
View File

@ -9,10 +9,16 @@
from django.shortcuts import render
from django.http import HttpResponseRedirect
import logging
from utils.crypto import Crypto
from pwdselfservice.local_settings import TMPID_COOKIE_AGE
from utils.crypto_ops import Crypto
from django.conf import settings
from pwdselfservice import crypto_key
import os
APP_ENV = os.getenv('APP_ENV')
if APP_ENV == 'dev':
from conf.local_settings_dev import *
else:
from conf.local_settings import *
logger = logging.getLogger('django')
@ -26,7 +32,7 @@ def code_2_user_id(ops, request, msg_template, home_url, code):
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
return False, context, user_id
detail_status, user_info = ops.get_user_detail_by_user_id(user_id)
if not detail_status:
context = {
@ -34,16 +40,13 @@ def code_2_user_id(ops, request, msg_template, home_url, code):
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
return user_id, user_info
return False, context, user_info
return True, user_id, user_info
def crypto_id_2_user_info(ops, request, msg_template, home_url, scan_app_tag):
try:
crypto_tmp_id = request.COOKIES.get('tmpid')
except Exception as e:
crypto_tmp_id = None
logger.error('[异常] %s' % str(e))
if not crypto_tmp_id:
logger.error('[异常] 请求方法:%s,请求路径:%s未能拿到TmpID或会话己超时。' % (request.method, request.path))
context = {
@ -51,7 +54,7 @@ def crypto_id_2_user_info(ops, request, msg_template, home_url, scan_app_tag):
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
return False, context
# 解密
crypto = Crypto(crypto_key)
user_id = crypto.decrypt(crypto_tmp_id)
@ -63,9 +66,10 @@ def crypto_id_2_user_info(ops, request, msg_template, home_url, scan_app_tag):
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
return user_info
return False, context
return True, user_info
except Exception as e:
return False, str(e)
def crypto_user_id_2_cookie(user_id):
@ -81,6 +85,9 @@ def crypto_user_id_2_cookie(user_id):
def crypto_id_2_user_id(request, msg_template, home_url):
try:
crypto_tmp_id = request.COOKIES.get('tmpid')
# 解密
crypto = Crypto(crypto_key)
return True, crypto.decrypt(crypto_tmp_id)
except Exception as e:
logger.error('[异常] %s' % str(e))
logger.error('[异常] 请求方法:%s,请求路径:%s未能拿到TmpID或会话己超时。' % (request.method, request.path))
@ -89,10 +96,7 @@ def crypto_id_2_user_id(request, msg_template, home_url):
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
# 解密
crypto = Crypto(crypto_key)
return crypto.decrypt(crypto_tmp_id)
return False, context
def ops_account(ad_ops, request, msg_template, home_url, username, new_password):
@ -102,7 +106,7 @@ def ops_account(ad_ops, request, msg_template, home_url, username, new_password)
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
return False, context
account_code = ad_ops.ad_get_user_status_by_account(username)
if account_code in settings.AD_ACCOUNT_DISABLE_CODE:
@ -111,7 +115,8 @@ def ops_account(ad_ops, request, msg_template, home_url, username, new_password)
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
return False, context
if new_password:
reset_status, result = ad_ops.ad_reset_user_pwd_by_account(username=username, new_password=new_password)
if reset_status:
@ -123,14 +128,14 @@ def ops_account(ad_ops, request, msg_template, home_url, username, new_password)
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
return True, context
else:
context = {
'msg': "密码未修改/重置成功,错误信息:{}".format(result),
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
return False, context
else:
unlock_status, result = ad_ops.ad_unlock_user_by_account(username)
if unlock_status:
@ -139,11 +144,11 @@ def ops_account(ad_ops, request, msg_template, home_url, username, new_password)
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
return True, context
else:
context = {
'msg': "账号未能解锁,错误信息:{}".format(result),
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
return False, context

50
resetpwd/views.py
View File

@ -1,14 +1,16 @@
import logging
from django.http import HttpResponseRedirect
import os
from django.shortcuts import render
from pwdselfservice.local_settings import SCAN_CODE_TYPE, DING_MO_APP_ID, WEWORK_CORP_ID, WEWORK_AGENT_ID, HOME_URL, TMPID_COOKIE_AGE
from utils.ad_ops import AdOps
from utils.crypto import Crypto
from utils.format_username import format2username, get_user_is_active
from .form import CheckForm
from .utils import code_2_user_id, crypto_id_2_user_info, ops_account, crypto_id_2_user_id, crypto_user_id_2_cookie
APP_ENV = os.getenv('APP_ENV')
if APP_ENV == 'dev':
from conf.local_settings_dev import SCAN_CODE_TYPE, DING_MO_APP_ID, WEWORK_CORP_ID, WEWORK_AGENT_ID, HOME_URL
else:
from conf.local_settings import SCAN_CODE_TYPE, DING_MO_APP_ID, WEWORK_CORP_ID, WEWORK_AGENT_ID, HOME_URL
msg_template = 'messages.html'
logger = logging.getLogger('django')
@ -27,6 +29,12 @@ class PARAMS(object):
SCAN_APP = '微信'
from utils.wework_ops import WeWorkOps
ops = WeWorkOps()
else:
app_id = WEWORK_CORP_ID
agent_id = WEWORK_AGENT_ID
SCAN_APP = '微信'
from utils.wework_ops import WeWorkOps
ops = WeWorkOps()
scan_params = PARAMS()
@ -53,6 +61,8 @@ def index(request):
return render(request, 'ding_index.html', locals())
elif request.method == 'GET' and SCAN_CODE_TYPE == 'WEWORK':
return render(request, 'we_index.html', locals())
elif request.method == 'GET' and SCAN_CODE_TYPE == 'FEISHU':
return render(request, 'feishu_index.html', locals())
else:
logger.error('[异常] 请求方法:%s,请求路径:%s' % (request.method, request.path))
@ -112,8 +122,11 @@ def callback_check(request):
'button_display': "返回主页"
}
return render(request, msg_template, context)
print("code: {}" .format(code))
try:
user_id, user_info = code_2_user_id(_ops, request, msg_template, home_url, code)
_status, user_id, user_info = code_2_user_id(_ops, request, msg_template, home_url, code)
if not _status:
return render(request, msg_template, user_id)
# 账号是否是激活的
if get_user_is_active(user_info):
return crypto_user_id_2_cookie(user_id)
@ -143,7 +156,9 @@ def reset_pwd_by_callback(request):
home_url = '%s://%s' % (request.scheme, HOME_URL)
# 从cookie中提取union_id并解密然后对当前union_id的用户进行重置密码
if request.method == 'GET':
user_id = crypto_id_2_user_id(request, msg_template, home_url)
_status, user_id = crypto_id_2_user_id(request, msg_template, home_url)
if not _status:
return render(request, msg_template, user_id)
userid_status, user_info = _ops.get_user_detail_by_user_id(user_id)
if not userid_status:
context = {
@ -170,10 +185,21 @@ def reset_pwd_by_callback(request):
# 重置密码页面,输入新密码后点击提交
elif request.method == 'POST':
try:
_new_password = request.POST.get('new_password').strip()
user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP)
_status, user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP)
if not _status:
return render(request, msg_template, user_info)
username = format2username(user_info.get('email'))
return ops_account(ad_ops, request, msg_template, home_url, username, _new_password)
except Exception as reset_e:
context = {
'msg': "错误[%s],请与管理员联系." % str(reset_e),
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
logger.error('[异常] %s' % str(reset_e))
return render(request, msg_template, context)
else:
context = {
'msg': "请从主页开始进行操作。",
@ -191,7 +217,9 @@ def unlock_account(request):
"""
home_url = '%s://%s' % (request.scheme, HOME_URL)
if request.method == 'GET':
user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP)
_status, user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP)
if not _status:
return render(request, msg_template, user_info)
username = format2username(user_info.get('email'))
context = {
'username': username,
@ -199,7 +227,9 @@ def unlock_account(request):
return render(request, 'resetPassword.html', context)
elif request.method == 'POST':
user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP)
_status, user_info = crypto_id_2_user_info(_ops, request, msg_template, home_url, scan_params.SCAN_APP)
if not _status:
return render(request, msg_template, user_info)
username = format2username(user_info.get('email'))
return ops_account(ad_ops, request, msg_template, home_url, username, None)
else:

1
templates/ding_index.html
View File

@ -76,7 +76,6 @@
width: "300",
height: "300"
});
// 获取loginTmpCode
var hanndleMessage = function (event) {
var origin = event.origin;
console.log("origin", event.origin)

8
utils/ad_ops.py
View File

@ -2,8 +2,12 @@ from ldap3 import *
from ldap3.core.exceptions import LDAPInvalidCredentialsResult, LDAPOperationResult
from ldap3.core.results import *
from ldap3.utils.dn import safe_dn
from pwdselfservice.local_settings import *
import os
APP_ENV = os.getenv('APP_ENV')
if APP_ENV == 'dev':
from conf.local_settings_dev import *
else:
from conf.local_settings import *
"""
根据以下网站的说明

0
utils/crypto.py → utils/crypto_ops.py
View File

35
utils/dingding_ops.py
View File

@ -11,11 +11,19 @@ import requests
from dingtalk.client import AppKeyClient
from pwdselfservice import cache_storage
from pwdselfservice.local_settings import DING_APP_KEY, DING_APP_SECRET, DING_CORP_ID, DING_URL, DING_MO_APP_ID, DING_MO_APP_SECRET
import os
APP_ENV = os.getenv('APP_ENV')
if APP_ENV == 'dev':
from conf.local_settings_dev import *
else:
from conf.local_settings import *
class DingDingOps(object):
def __init__(self, corp_id=DING_CORP_ID, app_key=DING_APP_KEY, app_secret=DING_APP_SECRET, mo_app_id=DING_MO_APP_ID, mo_app_secret=DING_MO_APP_SECRET, storage=cache_storage):
class DingDingOps(AppKeyClient):
def __init__(self, corp_id=DING_CORP_ID, app_key=DING_APP_KEY, app_secret=DING_APP_SECRET, mo_app_id=DING_MO_APP_ID, mo_app_secret=DING_MO_APP_SECRET,
storage=cache_storage):
super().__init__(corp_id, app_key, app_secret, storage)
self.corp_id = corp_id
self.app_key = app_key
self.app_secret = app_secret
@ -23,23 +31,13 @@ class DingDingOps(object):
self.mo_app_secret = mo_app_secret
self.storage = storage
@property
def _client_connect(self):
"""
钉钉连接器
:return:
"""
return AppKeyClient(corp_id=self.corp_id, app_key=self.app_key, app_secret=self.app_secret)
def get_union_id_by_code(self, code):
"""
通过移动应用接入扫码返回的临时授权码使用临时授权码换取用户的 unionid
:param code:
:return:
:param code: 临时授权码
:return: unionid
"""
# token = self.ding_get_access_token
time_stamp = int(round(time.time() * 1000))
# 时间戳
# 通过appSecret计算出来的签名值该参数值在HTTP请求参数中需要urlEncode(因为签名中可能包含特殊字符+)。
signature = quote(base64.b64encode(hmac.new(
self.mo_app_secret.encode('utf-8'),
@ -51,8 +49,8 @@ class DingDingOps(object):
url=url,
json=dict(tmp_auth_code=code),
)
resp = resp.json()
try:
resp = resp.json()
if resp['errcode'] != 0:
return False, 'get_union_id_by_code: %s' % str(resp)
else:
@ -68,7 +66,7 @@ class DingDingOps(object):
"""
_status, union_id = self.get_union_id_by_code(code)
if _status:
return True, self._client_connect.user.get_userid_by_unionid(union_id).get('userid')
return True, self.user.get_userid_by_unionid(union_id).get('userid')
else:
return False, 'get_user_id_by_code: %s' % str(union_id)
@ -79,9 +77,10 @@ class DingDingOps(object):
:return:
"""
try:
return True, self._client_connect.user.get(user_id)
return True, self.user.get(user_id)
except Exception as e:
return False, 'get_user_detail_by_user_id: %s' % str(e)
except (KeyError, IndexError) as k_error:
return False, 'get_user_detail_by_user_id: %s' % str(k_error)

2
utils/storage/kvstorage.py
View File

@ -54,7 +54,7 @@ def byte2int(c):
class KvStorage(BaseStorage):
def __init__(self, kvdb, prefix='wework'):
def __init__(self, kvdb, prefix='client'):
for method_name in ('get', 'set', 'delete'):
assert hasattr(kvdb, method_name)
self.kvdb = kvdb

0
utils/wework_api/AbstractApi.py → utils/wework_api/abstract_api.py
View File

13
utils/wework_ops.py
View File

@ -7,11 +7,17 @@
# @Date 2021/5/18 16:55
from __future__ import absolute_import, unicode_literals
from pwdselfservice import cache_storage
import os
from pwdselfservice.local_settings import *
from pwdselfservice import cache_storage
from utils.storage.cache import WeWorkCache
from utils.wework_api.AbstractApi import *
from utils.wework_api.abstract_api import *
APP_ENV = os.getenv('APP_ENV')
if APP_ENV == 'dev':
from conf.local_settings_dev import *
else:
from conf.local_settings import *
CORP_API_TYPE = {
'GET_ACCESS_TOKEN': ['/cgi-bin/gettoken', 'GET'],
@ -137,4 +143,3 @@ class WeWorkOps(AbstractApi):
if __name__ == '__main__':
wx = WeWorkOps()
print(wx.get_user_detail_by_user_id('XiangLe'))