7x31/ad-password-self-service
1
0
Fork 0
mirror of https://github.com/capricornxl/ad-password-self-service.git synced 2025-08-12 01:11:01 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix session cache bug

Browse Source
This commit is contained in:
Leven
2023-02-10 11:19:47 +08:00
parent 1752b1d16f
commit a68fc3f307
13 changed files with 420 additions and 360 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
resetpwd/utils.py
View File

@@ -31,31 +31,6 @@ def code_2_user_detail(ops, home_url, code):
return _, s, e
@decorator_logger(logger, log_head='AccountOps', pretty=True, indent=2, verbose=1)
def code_2_user_info_with_oauth2(ops, request, msg_template, home_url, code):
"""
临时授权码换取userinfo
"""
_status, user_id = ops.get_user_id_by_code(code)
# 判断 user_id 在本企业钉钉/微信中是否存在
if not _status:
context = {'global_title': TITLE,
'msg': '获取userid失败错误信息{}'.format(user_id),
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return False, context, user_id
detail_status, user_info = ops.get_user_detail_by_user_id(user_id)
if not detail_status:
context = {'global_title': TITLE,
'msg': '获取用户信息失败,错误信息:{}'.format(user_info),
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return False, context, user_info
return True, user_id, user_info
@decorator_logger(logger, log_head='AccountOps', pretty=True, indent=2, verbose=1)
def ops_account(ad_ops, request, msg_template, home_url, username, new_password):
"""
@@ -65,27 +40,30 @@ def ops_account(ad_ops, request, msg_template, home_url, username, new_password)
print("ops_account: {}".format(username))
_status, _account = ad_ops.ad_ensure_user_by_account(username=username)
if not _status:
context = {'global_title': TITLE,
'msg': "账号[%s]在AD中不存在请确认当前钉钉扫码账号绑定的邮箱是否和您正在使用的邮箱一致或者该账号己被禁用\n猜测:您的账号或邮箱是否是带有数字或其它字母区分?" % username,
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
context = {
'global_title': TITLE,
'msg': "账号[%s]在AD中不存在请确认当前钉钉扫码账号绑定的邮箱是否和您正在使用的邮箱一致或者该账号己被禁用\n猜测:您的账号或邮箱是否是带有数字或其它字母区分?" % username,
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
_status, account_code = ad_ops.ad_get_user_status_by_account(username)
if _status and account_code in settings.AD_ACCOUNT_DISABLE_CODE:
context = {'global_title': TITLE,
'msg': "此账号状态为己禁用请联系HR确认账号是否正确。",
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
context = {
'global_title': TITLE,
'msg': "此账号状态为己禁用请联系HR确认账号是否正确。",
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
elif not _status:
context = {'global_title': TITLE,
'msg': "错误:{}".format(account_code),
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
context = {
'global_title': TITLE,
'msg': "错误:{}".format(account_code),
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
if new_password:
@@ -94,39 +72,44 @@ def ops_account(ad_ops, request, msg_template, home_url, username, new_password)
# 重置密码并执行一次解锁,防止重置后账号还是锁定状态。
unlock_status, result = ad_ops.ad_unlock_user_by_account(username)
if unlock_status:
context = {'global_title': TITLE,
'msg': "密码己修改成功,请妥善保管。你可以点击修改密码或直接关闭此页面!",
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
context = {
'global_title': TITLE,
'msg': "密码己修改成功,请妥善保管。你可以点击修改密码或直接关闭此页面!",
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
else:
context = {'global_title': TITLE,
'msg': "密码未修改/重置成功,错误信息:{}".format(result),
'button_click': "window.location.href='%s'" % '/auth',
'button_display': "重新认证授权"
}
context = {
'global_title': TITLE,
'msg': "密码未修改/重置成功,错误信息:{}".format(result),
'button_click': "window.location.href='%s'" % '/auth',
'button_display': "重新认证授权"
}
return render(request, msg_template, context)
else:
unlock_status, result = ad_ops.ad_unlock_user_by_account(username)
if unlock_status:
context = {'global_title': TITLE,
'msg': "账号己解锁成功。你可以点击返回主页或直接关闭此页面!",
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
context = {
'global_title': TITLE,
'msg': "账号己解锁成功。你可以点击返回主页或直接关闭此页面!",
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
return render(request, msg_template, context)
else:
context = {'global_title': TITLE,
'msg': "账号未能解锁,错误信息:{}".format(result),
'button_click': "window.location.href='%s'" % '/auth',
'button_display': "重新认证授权"
}
context = {
'global_title': TITLE,
'msg': "账号未能解锁,错误信息:{}".format(result),
'button_click': "window.location.href='%s'" % '/auth',
'button_display': "重新认证授权"
}
return render(request, msg_template, context)
except LDAPException as l_e:
context = {'global_title': TITLE,
'msg': "账号未能解锁,错误信息:{}".format(l_e),
'button_click': "window.location.href='%s'" % '/auth',
'button_display': "重新认证授权"
}
context = {
'global_title': TITLE,
'msg': "账号未能解锁,错误信息:{}".format(l_e),
'button_click': "window.location.href='%s'" % '/auth',
'button_display': "重新认证授权"
}
return render(request, msg_template, context)

109
resetpwd/views.py
View File

@@ -1,15 +1,16 @@
import json
import logging
import os
import traceback
from django.shortcuts import render
from utils.ad_ops import AdOps
import urllib.parse as url_encode
from utils.format_username import format2username, get_user_is_active, get_email_from_userinfo
from .form import CheckForm
from .utils import code_2_user_detail, ops_account
from django.conf import settings
from utils.logger_filter import decorator_request_logger
from utils.tracecalls import decorator_logger
from pwdselfservice import cache_storage
APP_ENV = os.getenv('APP_ENV')
if APP_ENV == 'dev':
@@ -51,11 +52,9 @@ def auth(request):
app_id = scan_params.app_id
agent_id = scan_params.agent_id
scan_app = scan_params.AUTH_APP
unsecpwd = settings.UN_SEC_PASSWORD
redirect_url = url_encode.quote(home_url + '/resetPassword')
app_type = INTEGRATION_APP_TYPE
global_title = TITLE
if request.method == 'GET':
return render(request, 'auth.html', locals())
else:
@@ -129,30 +128,27 @@ def reset_password(request):
"""
home_url = '%s://%s' % (request.scheme, HOME_URL)
if request.method == 'GET':
code = request.GET.get('code', None)
username = request.GET.get('username', None)
# 如果满足,说明已经授权免密登录
if username and code and request.session.get(username) == code:
code = request.GET.get('code')
username = request.GET.get('username')
# 如果从GET路径中提取到username、code并且在缓存中存在username对应的code值说明已经认证过
if username and code and cache_storage.get(username) == code:
context = {
'global_title': TITLE,
'username': username,
'code': code,
}
return render(request, 'reset_password.html', context)
# 否则就是第一次认证用code换取用户信息
else:
if code:
logger.info('[成功] 请求方法:%s,请求路径:%sCode%s' % (request.method, request.path, code))
else:
logger.error('[异常] 请求方法:%s,请求路径:%s未能拿到Code。' % (request.method, request.path))
if not code:
context = {
'global_title': TITLE,
'msg': "错误,临时授权码己失效,请尝试重新认证授权..",
'msg': "临时授权码己失效,请尝试重新认证授权...",
'button_click': "window.location.href='%s'" % '/auth',
'button_display': "重新认证授权"
}
return render(request, msg_template, context)
try:
# 用code换取用户基本信息
_status, user_id, user_info = code_2_user_detail(_ops, home_url, code)
if not _status:
return render(request, msg_template, user_id)
@@ -166,6 +162,44 @@ def reset_password(request):
'button_display': "返回主页"
}
return render(request, msg_template, context)
# 通过user_info拿到用户邮箱并格式化为username
_, email = get_email_from_userinfo(user_info)
if not _:
context = {
'global_title': TITLE,
'msg': email,
'button_click': "window.location.href='%s'" % '/auth',
'button_display': "重新认证授权"
}
return render(request, msg_template, context)
_, username = format2username(email)
if _ is False:
context = {
'global_title': TITLE,
'msg': username,
'button_click': "window.location.href='%s'" % '/auth',
'button_display': "重新认证授权"
}
return render(request, msg_template, context)
if username:
cache_storage.set(username, code, ttl=300)
context = {
'global_title': TITLE,
'username': username,
'code': code,
}
return render(request, 'reset_password.html', context)
else:
context = {
'global_title': TITLE,
'msg': "{},您好,企业{}中未能找到您账号的邮箱配置请联系HR完善信息。".format(
user_info.get('name'), scan_params.AUTH_APP),
'button_click': "window.location.href='%s'" % '/auth',
'button_display': "重新认证授权"
}
return render(request, msg_template, context)
except Exception as callback_e:
context = {
'global_title': TITLE,
@@ -176,50 +210,11 @@ def reset_password(request):
logger.error('[异常] %s' % str(callback_e))
return render(request, msg_template, context)
# 通过user_info拿到用户邮箱并格式化为username
_, email = get_email_from_userinfo(user_info)
if not _:
context = {
'global_title': TITLE,
'msg': email,
'button_click': "window.location.href='%s'" % '/auth',
'button_display': "重新认证授权"
}
return render(request, msg_template, context)
_, username = format2username(email)
if _ is False:
context = {
'global_title': TITLE,
'msg': username,
'button_click': "window.location.href='%s'" % '/auth',
'button_display': "重新认证授权"
}
return render(request, msg_template, context)
if username:
request.session[username] = code
context = {
'global_title': TITLE,
'username': username,
'code': code,
}
return render(request, 'reset_password.html', context)
else:
context = {
'global_title': TITLE,
'msg': "{},您好,企业{}中未能找到您账号的邮箱配置请联系HR完善信息。".format(
user_info.get('name'), scan_params.AUTH_APP),
'button_click': "window.location.href='%s'" % '/auth',
'button_display': "重新认证授权"
}
return render(request, msg_template, context)
# 重置密码页面,输入新密码后点击提交
elif request.method == 'POST':
username = request.POST.get('username')
code = request.POST.get('code')
if username and code and request.session.get(username) == code:
if username and code and cache_storage.get(username) == code:
_new_password = request.POST.get('new_password').strip()
try:
return ops_account(ad_ops=AdOps(), request=request, msg_template=msg_template, home_url=home_url,
@@ -255,7 +250,7 @@ def unlock_account(request):
if request.method == 'GET':
code = request.GET.get('code')
username = request.GET.get('username')
if username and code and request.session.get(username) == code:
if username and code and cache_storage.get(username) == code:
context = {
'global_title': TITLE,
'username': username,
@@ -274,7 +269,7 @@ def unlock_account(request):
if request.method == 'POST':
username = request.POST.get('username')
code = request.POST.get('code')
if username and code and request.session.get(username) == code:
if username and code and cache_storage.get(username) == code:
try:
return ops_account(AdOps(), request, msg_template, home_url, username, None)
except Exception as reset_e:
@@ -284,7 +279,7 @@ def unlock_account(request):
'button_click': "window.location.href='%s'" % home_url,
'button_display': "返回主页"
}
logger.error('[异常] %s' % str(reset_e))
logger.error('{}' .format(traceback.format_exc()))
return render(request, msg_template, context)
else:
context = {