pref(api): authentication and login log (#308)

* pref(api): authentication and login log

* feat(api): ldap and OAuth2.0

cmdb-api/api/lib/perm/authentication/oauth2/routing.py

@@ -1,5 +1,6 @@
 # -*- coding:utf-8 -*-
 
+import datetime
 import secrets
 import uuid
 
@@ -14,69 +15,80 @@ from flask import url_for
 from flask_login import login_user, logout_user
 from six.moves.urllib.parse import urlencode
 
+from api.lib.common_setting.common_data import AuthenticateDataCRUD
+from api.lib.perm.acl.audit import AuditCRUD
 from api.lib.perm.acl.cache import UserCache
+from api.lib.perm.acl.resp_format import ErrFormat
 
 blueprint = Blueprint('oauth2', __name__)
 
 
-@blueprint.route('/api/oauth2/login')
-@blueprint.route('/api/sso/login')
-def login():
+@blueprint.route('/api/<string:auth_type>/login')
+def login(auth_type):
+    config = AuthenticateDataCRUD(auth_type.upper()).get()
+
     if request.values.get("next"):
         session["next"] = request.values.get("next")
 
-    session['oauth2_state'] = secrets.token_urlsafe(16)
+    session[f'{auth_type}_state'] = secrets.token_urlsafe(16)
+
+    auth_type = auth_type.upper()
 
     qs = urlencode({
-        'client_id': current_app.config['OAUTH2_CLIENT_ID'],
-        'redirect_uri': url_for('oauth2.callback', _external=True),
-        'response_type': current_app.config['OAUTH2_RESPONSE_TYPE'],
-        'scope': ' '.join(current_app.config['OAUTH2_SCOPES'] or []),
-        'state': session['oauth2_state'],
+        'client_id': config['client_id'],
+        'redirect_uri': url_for('oauth2.callback', auth_type=auth_type.lower(), _external=True),
+        'response_type': current_app.config[f'{auth_type}_RESPONSE_TYPE'],
+        'scope': ' '.join(config['scopes'] or []),
+        'state': session[f'{auth_type.lower()}_state'],
     })
 
-    return redirect("{}?{}".format(current_app.config['OAUTH2_AUTHORIZE_URL'].split('?')[0], qs))
+    return redirect("{}?{}".format(config['authorize_url'].split('?')[0], qs))
 
 
-@blueprint.route('/api/oauth2/callback')
-def callback():
-    redirect_url = session.get("next") or current_app.config.get("OAUTH2_AFTER_LOGIN")
+@blueprint.route('/api/<string:auth_type>/callback')
+def callback(auth_type):
+    auth_type = auth_type.upper()
+    config = AuthenticateDataCRUD(auth_type).get()
 
-    if request.values['state'] != session.get('oauth2_state'):
+    redirect_url = session.get("next") or config.get('after_login') or '/'
+
+    if request.values['state'] != session.get(f'{auth_type.lower()}_state'):
         return abort(401, "state is invalid")
 
     if 'code' not in request.values:
         return abort(401, 'code is invalid')
 
-    response = requests.post(current_app.config['OAUTH2_TOKEN_URL'], data={
-        'client_id': current_app.config['OAUTH2_CLIENT_ID'],
-        'client_secret': current_app.config['OAUTH2_CLIENT_SECRET'],
+    response = requests.post(config['token_url'], data={
+        'client_id': config['client_id'],
+        'client_secret': config['client_secret'],
         'code': request.values['code'],
-        'grant_type': current_app.config['OAUTH2_GRANT_TYPE'],
-        'redirect_uri': url_for('oauth2.callback', _external=True),
+        'grant_type': current_app.config[f'{auth_type}_GRANT_TYPE'],
+        'redirect_uri': url_for('oauth2.callback', auth_type=auth_type.lower(), _external=True),
     }, headers={'Accept': 'application/json'})
     if response.status_code != 200:
         current_app.logger.error(response.text)
         return abort(401)
-    oauth2_token = response.json().get('access_token')
-    if not oauth2_token:
+    access_token = response.json().get('access_token')
+    if not access_token:
         return abort(401)
 
-    response = requests.get(current_app.config['OAUTH2_USER_INFO']['url'], headers={
-        'Authorization': 'Bearer {}'.format(oauth2_token),
+    response = requests.get(config['user_info']['url'], headers={
+        'Authorization': 'Bearer {}'.format(access_token),
         'Accept': 'application/json',
     })
     if response.status_code != 200:
         return abort(401)
 
-    email = current_app.config['OAUTH2_USER_INFO']['email'](response.json())
-    username = current_app.config['OAUTH2_USER_INFO']['username'](response.json())
+    res = response.json()
+    email = res.get(config['user_info']['email'])
+    username = res.get(config['user_info']['username'])
+    avatar = res.get(config['user_info'].get('avatar'))
     user = UserCache.get(username)
     if user is None:
         current_app.logger.info("create user: {}".format(username))
         from api.lib.perm.acl.user import UserCRUD
 
-        user_dict = dict(username=username, email=email)
+        user_dict = dict(username=username, email=email, avatar=avatar)
         user_dict['password'] = uuid.uuid4().hex
 
         user = UserCRUD.add(**user_dict)
@@ -98,21 +110,25 @@ def callback():
                           roleName=user_info.get("role"))
     session["uid"] = user_info.get("uid")
 
+    _id = AuditCRUD.add_login_log(username, True, ErrFormat.login_succeed)
+    session['LOGIN_ID'] = _id
+
     return redirect(redirect_url)
 
 
-@blueprint.route('/api/oauth2/logout')
-@blueprint.route('/api/sso/logout')
-def logout():
+@blueprint.route('/api/<string:auth_type>/logout')
+def logout(auth_type):
     "acl" in session and session.pop("acl")
     "uid" in session and session.pop("uid")
-    'oauth2_state' in session and session.pop('oauth2_state')
+    f'{auth_type}_state' in session and session.pop(f'{auth_type}_state')
     "next" in session and session.pop("next")
 
-    redirect_url = url_for('oauth2.login', _external=True, next=request.referrer)
+    redirect_url = url_for('oauth2.login', auth_type=auth_type, _external=True, next=request.referrer)
 
     logout_user()
 
     current_app.logger.debug('Redirecting to: {0}'.format(redirect_url))
 
+    AuditCRUD.add_login_log(None, None, None, _id=session.get('LOGIN_ID'), logout_at=datetime.datetime.now())
+
     return redirect(redirect_url)